HIPAA covered entity fined $150,000 for lost thumb drive containing PII / PHI

More and more, we’re hearing about instances where networks are breached and personal information for hundreds, thousands, millions, tens or hundreds of millions of people are compromised.  The net result is a huge black eye for the targeted entity (think Target here), a lot of rightfully worried people (the ones whose personal information may or may not have been compromised) and a lot of fines and class action lawsuits being thrown about.  When the data is lost due to a breach (like Target), that’s one thing.  When the data is lost due to negligence though (like a lost thumb drive containing unencrypted personal information), it’s a completely different thing.  It’s this second scenario that I’d like to address with this post.


There is no doubt that the ability to simply copy a file to a USB thumb drive, tuck the thumb drive in your pocket and finish your work from home is incredibly easy and convenient, but it’s not without it’s risks.  Aside from the reliability issue (what if the thumb drive fails, what if it gets damaged en route, what if it somehow falls into the toilet, etc.), there can be significant security issues.  What if it gets stolen?  What if it falls out of your pocket when you’re paying for that latte’?  What if, when you get home, it’s just gone and you have no idea where it’s at?  If you report it, you’re in trouble.  If you don’t report it and someone finds it (whether they report it or not), you’re in trouble.  What to do?


In most cases, a better option would be to leave the data under (physical and logical) lock and key at the office or data center and access it remotely via a VPN.  Many of the people that I talk with about this tend to go blank and shut down as soon as I say either firewall or VPN and, when I use both in the same sentence, they really zone out, but it’s not as complicated as it’s been made out to be.  Most of the time, there is (or should be) already a firewall in place and most newer firewalls support some kind of VPN out of the box.  Windows, since Windows XP, has VPN support built in, so the parts needed for a minimum VPN are already there.  So, back to our story.  What’s the better way of working on that data from home?  Get a firewall that supports one or multiple VPN connections.  We recommend the Cisco ASA 5500 series (typically the 5505) or the SonicWALL TZ series (typically the 205 is sufficient for small to medium sized offices).  Both have built-in support for several types of VPN connections and can support multiple users connected to the VPN simultaneously.  For the users that will be accessing the data remotely, give them company issued laptop or have a pool of take-home laptops that users can check out when they need remote access to data.  The laptops can also employ whole disk encryption so that, if the employees do download data to the local drive, it’s still protected by the drive encryption.  The employees work from home, the hotel, the road or anywhere that they can establish a VPN connection secuely on the VPN and the data never leaves that physical or logical lock and key.  In addition to keeping the data safe, it mitigates the problem of having multiple copies of data (Susie worked on foo.doc, Tom worked on foo.doc and Joe worked on foo.doc, all copies that they copied from the server to their local thumb drive, and they’re all about to upload different versions to the server.  Whichever is the last to get uploaded will be the copy that ends up being the authorative copy) and the problem of the thumb drive (with the only copy of the PowerPoint presentation that’s going to save the company) failing at the most inopportune time possible.


Company fined $150,000 for losing USB disk with senitive information on it.