Breach List: Good News, Bad NewsFewer Huge Cases, But Unencrypted Devices Still a Problem
The good news: There hasn't been a mega-breach reported in a while, so the growth in the number of Americans affected by breaches has slowed down.
The bad news: Despite tons of news coverage about breaches, incidents involving the loss or theft of unencrypted computer devices, from laptops and desktops to USB drives, remain the most common.
Nearly 100 breach incidents involving the loss or theft of devices wouldn't be on the list if only the data on the devices had been properly protected.
About 4.9 million Americans have been affected by 166 major breaches since last September, according to the tally from the Department of Health and Human Services' Office for Civil Rights. But the top five incidents represent more than 70 percent of that total.
The most recent of those incidents involved South Shore Hospital in South Weymouth, Mass., which reported that two boxes of backup computer tapes being sent for disposal were misplaced, potentially affecting 800,000.
That case has proven controversial, because the Massachusetts attorney general has objected to the hospital's decision not to individually notify those potentially affected.
In a recent blog, I expressed hope that when federal regulators issue the final version of the breach notification rule, they will greatly clarify precisely when a breach must be reported to individuals as well as regulators.
While it's certainly good news that we haven't seen a breach affecting more than 100,000 added to the list in the past two months, it's definitely bad news that so many breaches stem from the loss or theft of unencrypted devices.
For example, 19 of the most recent 28 cases added to the list involved such a theft or loss. Since federal regulators began compiling the list of breaches affecting 500 or more individuals, about 58 percent of cases have stemmed from the theft or loss of devices.
It's worth noting, once again, that the interim final breach notification rule now in effect, as called for under the HITECH Act, created a safe harbor that states breaches involving data encrypted to a specific standard don't have to be reported.
So those nearly 100 breach incidents involving the loss or theft of devices wouldn't be on the list if only the data on the devices had been adequately protected.
Terrell Herzig, information security officer at UAB Medicine, wrote an excellent guest blog offering tips on how to protect portable devices, going far beyond the use of encryption. It's worth a close look.