All the data security in the world doesn’t help if you don’t lock the damn door.
Medical and financial records of about 1.7 million people — mostly patients — from Jacobi Medical Center, North Central Bronx Hospital, Gunhill Health Center, and Tremont Health Center in New York’s The Bronx were stolen in December, iHealthbeat reported. The news is coming out now because the 1.7 million people are all receiving letters explaining the problem to them and offering them an information hot line, customer care centers, and free credit monitoring and fraud resolution services for one year if they register within the next 120 days, according to an article in the New York Times.
Was it a Russian hacker? Malware?
No, the problem is that the affected information was stored on magnetic data tapes left in an unlocked van belonging to GRM Information Management Services, the city’s health record vendor. The tapes were reportedly being moved to a “a secure storage location.”
It sounds like the punch line to a joke — the saying “Never underestimate the bandwidth of a station wagon full of mag tapes speeding down the highway” has been around since the 1990s. But apparently it’s all too real. The New York Health and Hospitals Corp. has since fired GRM and has filed suit against the company to hold it responsible for covering all damages related to the loss of the data.
NBC New York quoted an HHC spokeswoman as saying that there had been no reports of any access to the data, and that “highly specialized and technical expertise and certain tools” would be required for the thief to gain access to the data. Nonetheless, the organization is legally required to notify all the victims and take steps to mitigate any damages. (To add insult to injury, this was the third time the organization had been hit by theft, though the previous instances were much smaller.)
Lessons to be learned? The first step in storage and backup security is physical access, and that data loss is less often caused by hackers and viruses than is commonly believed.