On October 10th, it was reported in the press that the Maryland law firm of Baxter, Baker, Sidle, Conn & Jones had lost the medical data of 161 patients in a malpractice suit.
This was especially significant since it is so rare to hear of law firm data breaches - understandably, law firms are loathe to have such stories become public. So how did this one come to light? The Baltimore Sun obtained a copy of one of the notifications sent to the patients.
Here's what happened: One of the law firm's employees brought home a hard drive containing backup data - this was the firm's method of ensuring that it had an off-site backup. She took the Baltimore light rail system home and - you guessed it - left the drive on the train. Though she returned just a few minutes later, the drive was gone. And - can you guess - yes, the drive was unencrypted.
This happened on August 4th. Federal law requires that individuals affected by a breach be notified "without unreasonable delay and in no case later than 60 days following the discovery of a breach." It looks like it took pretty much the whole time to get folks notified since the October 10th story referred to the fact that the letters were sent "last week."
The firm said it sent a formal letter to the hospital involved on September 16th though it said it had notified the hospital within days by phone. The hospital, when interviewed by the Sun in October, said it had been "recently informed." Hmmm.
In any event, it should be clear that traveling with unencrypted backup data is a very bad idea. You will be shocked (not) to hear that the firm has begun encrypting its data and is looking into off-site data storage.
The question is, why does it take an incident like this to get so many law firms to take information security seriously? It's a rhetorical question because there is no good answer.
E-mail: email@example.com Phone: 703-359-0700