DaVita Suffers Computer-Data Theft In Florida

[Zach]

Hard Disk Encryption Software Not Used On Stolen DaVita Desktop Computers

Universal Security Solutions
December 13th, 2008

The folks over at PHI Privacy have found a letter filed with the Maryland AG’s office regarding a data breach at DaVita.  According to the letter, a DaVita facility in Florida was burglarized and “multiple desktop computers” were stolen.  The result is the possible data breach of 354 Maryland residents.  I imagine the total number affected would be much higher, since the letter to MD’s AG need concern only Maryland residents.

If you’re not aware, DaVita already lost a laptop computer with sensitive information back in February.  And the information lost in that case is similar to this recent one: the computers’ hard drives “may contain your name, social security number, medical insurance coverage information, and/or other personal and health related information.”  The wording was so similar that I checked to see if they had recycled the notification letter, and it looks like they may have, at least a portion of it.  That’s….pretty handy.

Handier than that would have been the use of hard drive encryption software like AlertBoot to secure the contents of these stolen computers.  I’ve noticed that a lot of people ask for, and recommend, the use of encryption software when it comes to nominally portable devices like laptops.  For example, the newly passed legislation in Massachusetts (201 MCR 17.00) makes a point of requiring laptops with sensitive information to be encrypted, but contains nothing related to desktops.

Why is it that interest in information security falls dead when it comes to desktops?  What’s so magical about desktops that they don’t require the same amount of data protection measures?  Can’t they be stolen?  If anyone holds this outmoded way of thinking, they’d be served well by discarding it.  I mean, it’s not as if the theft of computers didn’t exist prior to the invention of the laptop computer.

This is DaVita’s second breach in less than one year.  Did they fall into the fallacy of believing that desktop computers are “safer” than laptops?  I won’t assume they didn’t know that hard disk encryption as a security tool was available, since the company made an effort to note in the AG’s that encryption was not used on the now-missing desktops.

They say that the third time’s the charm.  Not that I’m hoping DaVita will have a third instance of computer theft.  But if it does, I think it’s high time for them to make changes so that the letter they send out can read “the stolen computer may contain your name, social security number, medical insurance coverage information, and/or other personal and health related information. But you can rest easy since  your information has been encrypted.”

Related Articles:
http://www.phiprivacy.net/?p=813
http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU-161396.pdf
http://doj.nh.gov/consumer/pdf/davita.pdf


Original Article:
http://www.alertboot.com/blog/blogs/endpoint_security/archive/2008/12/09/hard-disk-encryption-software-not-used-on-stolen-davita-desktop-computers.aspx

[Sluff]

Unbelievable. There has to be a better way to secure these computers useless when shut down.