Last Friday the UCLA Health System took the precautionary measure of notifying thousands of patients of the theft of their private information.  Letters sent to the affected patients warned of possible identity theft and included contact information for a data security company to aid in the event of credit or identity theft.  The message also indicated that it is believed a situation where the compromise would result in identity theft was not likely.

 “UCLA’s concern for its patients is absolute, and we deeply regret any breach of confidentiality and the stress and concern it might cause”

The electronic information was reportedly stolen in a home burglary on September 6, 2011 and included records from July 2007 to July 2011.   What was interesting was that the information in question was located on an external drive.  The drive itself was encrypted, but the password apparently was written down on a scrap of paper that was near the computer.  That scrap of paper is also missing.  The notification came well after the incident as the affected patients had to be identified and located.   The trove of personal information reportedly did not include specific social security, financial information or insurance information.

Problems and missteps with confidential information are not unknown to the organization.  Recently, an $865,000 settlement was agreed to in the wake of a series of incidents where celebrity health records were accessed by employees.  Between 2005 and 2008, the records of Arnold Schwarzenegger, Britney Spears, Tom Hanks, and Farrah Fawcett, among others were determined to have been accessed through an investigation by the United States Department of Health and Human Services.  At the time of settlement, UCLA had stated that it had strengthened its systems and procedures, and had focused on retraining staff.

While putting the systems in place designed to have secured the drive with encryption, the point of failure again broke down to the staff behind the keyboard itself.  This illustrates a classic situation where despite available secure technology in place, a breakdown in procedure, practice or process expose a vulnerability that takes its place in the pantheon of security vulnerabilities: the user.  Training, awareness, and responsibility form the basis of secure practices, and matched with technology create a much stronger security profile for the organization.

Technology such as Citrix, Zenprise, or VDI technologies could have averted the scenario of localized storage of sensitive information in the first place.  In addition to encryption technology, a second or even third level of authentication could have helped avert this situation; things like biometric authentication, self-created PIN, PKI and token technologies would render a single password useless.  The bottom line is UCLA Health System got caught  halfway towards a better security posture.   Doctors are taking sensitive information home on portable media protected by a single level of authentication.  This is a bad situation and it has potential to lead to more fines or other legal action.