Yottabytes: Storage and Disaster Recovery

Jan 31 2018   10:57PM GMT

Spinal Facility Loses ‘Back’-Up Hard Drive

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
privacy
Security

It’s been a while since we had a good Companies Behaving Badly with people’s data story, but here we are: “Charles River Medical Associates says it lost a portable hard drive believed to contain personal information and x-ray images of everyone who received a bone density scan at its Framingham [Massachusetts] radiology lab within the past eight years,” writes Jonathan Dame in the Worcester Telegraph. “That is 9,387 people.”

What is it with medical facilities and losing data, anyway? Why are medical professionals always traipsing around with data and losing it? “Dammit, Jim, I’m a doctor, not a security professional!”

And this is in Framingham, the birthplace of IDG and Computerworld. You’d think they’d know better, through osmosis or something.

The interesting thing about this one is it isn’t someone who left a laptop in a cab or lost a thumb drive. The hard drive just turned up missing.

Oh, and it’s been missing since November – actually, maybe before that, because the data only got backed up once a month and the last time it was backed up was October — but it took them until early January to notify anybody because they were looking for it. “We determined a week and a half or so ago that … it was definitely lost,” the executive director of the clinic told Dame. “It’s hard to speculate on what could have happened to it.”

Don’t be silly. It’s easy to speculate on what could have happened to it.

  • Someone stole it for the data.
  • Someone stole it for the hardware.
  • Someone stole it for their kid.
  • Someone has a backbone fetish.
  • Someone stole it because there was data on it they didn’t want people to see, ranging from a potential case of medical malpractice to some medical condition they wanted to keep private. Didn’t you people ever watch House?
  • Someone thought it would make a good doorstop.
  • Someone accidentally damaged it and figured it would be better if it “disappeared.”

That’s just two minutes of speculation, and I was hardly trying.

Needless to say, the drive was not encrypted.

In case you’re wondering why someone needed the bone density scans of 9,387 people in the first place, apparently the disk drive was the backup, performed every month. So give them credit for that: They did backups.

(“Back” ups. Of spinal pictures. LOL.)

The good news is that, while the missing hard drive contained thousands of X-ray images of people’s spines, it did not have insurance information or Social Security numbers, Dame writes, quoting the letter that the facility was required to write to the U.S. Department of Health and Human Services, as well as to local media.

In the letter, Charles River Medical Associates warned patients to take precautionary steps “to guard against any potential negative impact from this unfortunate incident,” including monitoring credit reports.

How someone was going to get into someone’s credit account by waving an X-ray of a spine around, the facility didn’t say. Biometrics are big these days, but one usually hears about retinal scans or fingerprints rather than backbone pictures. Better safe than sorry, I suppose.

The company assures us that it will no longer use unencrypted portable storage devices to store medical records, and it’s “undertaking a broader review of its security protocols,” Dame writes. Perhaps they can find an IDG person to advise them. In the future, while it’s commendable that the organization does backups, it might want to think about backing the data up to the cloud, where it can’t go on walkabout. And, maybe, encrypt it?

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • EKA123
    Very funny
    20 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: