A Lost Server: What Went Wrong?Inventory Management, Data Disposal Practices in the Spotlight
The loss of a server at an optical wear retail store in Maryland offers a reminder not only of the importance of encryption but also the value of good inventory management and data disposal practices.
Visionworks Inc., a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., says the problems began when the server was being replaced in June during a remodeling project at its store in Annapolis, Md. "We believe that the server was accidentally removed with trash from recent renovations and taken to a local landfill" along with other materials, a Highmark spokesman tells Information Security Media Group.
The server held protected health information for as many as 75,000 of the store's customers, according to a Visionworks statement. "All credit card information housed on the server was encrypted, and therefore should not be at risk," the company says.
Besides the encrypted credit card data, however, the server also contained unencrypted data, including customer names and addresses and some information related to optometrist visits and lens prescriptions, the spokesman explains.
In the wake of the incident in Maryland, Visionworks, which has about 650 U.S. stores, "is in the process of fully encrypting all servers," the Highmark spokesman says. "The process should be complete within the next six months."
"At this time, there is no reason to believe that any of the information residing on the server has been accessed or used inappropriately," Visionworks says in its statement. The retailer says it's reporting the incident to the Department of Health and Human Services and "is notifying the potentially affected customers of the incident and informing them of the associated personal risks in an abundance of caution." The company is also providing those customers with free credit monitoring for one year.
While the incident is under investigation, "as of now, there are no updates on the location of the missing server," believed to be in the landfill, the spokesman says.
While lost and stolen unencrypted computers and storage media, especially mobile devices, are the most common culprits in breaches that appear on HHS' "wall of shame", which lists breaches affecting 500 or more individuals, some security experts say the Visionworks server incident is somewhat unusual.
"It's highly unlikely to lose a server since they typically don't move around once they get 'racked and stacked' in a data center," says Brian Evans, senior managing consultant at IBM Security Services.
Also, while encryption of all data contained on the lost server would have protected against a data breach, "it's not commonplace in healthcare to encrypt servers for a variety of reasons," he says. "Most organizations think they're safe because their data is secure within a data center environment where access is physically restricted," he says - unlike the retail setting where the Visionworks server was located.
"Visionworks could have benefitted from a formal media disposal and asset inventory process," Evans says. "As a result, the server operating system could've been wiped or destroyed while tracking and accounting for this asset."
Some other organizations have discovered the hard way how important it is to safeguard health information when equipment is being discarded. In August, for example, Affinity Health Plan, a managed care company based in New York, reached a $1.2 million HIPAA settlement agreement with HHS' Office for Civil Rights after a breach stemming from an equipment issue. That incident affected about 345,000 individuals whose data was discovered on the hard drives of copy machines that Affinity had returned to a leasing company (see $1.2 Million Penalty In Copier Breach).All healthcare organizations should have policies that spell out how computing devices need to be handled if moved or relocated, says Tom Walsh, president of the independent security consultancy Tom Walsh Consulting
He suggests that such a policy should state: "Any media, equipment, or device containing memory and possibly storing confidential information needs to be sanitized or erased before the media or equipment is reused, sent to a vendor for repair, sold, or prepared for donation or disposal."
Additionally, he says relocation policies often prescribe that, "hard disk drives are removed from servers, workstations, laptops and other devices - including multifunction printers - and kept temporarily in a secure holding area, such as a locked office/cage/room/cabinet, until the hard drives are physically destroyed by the IT department staff or electronics recycling vendor. The inventory tracking database also needs to be updated when equipment is removed from service."
Visionworks also could have avoided this incident by relocating the server to a more secure area during the store renovation project, Walsh notes. Doing so also would have increased control of physical access to the server by the construction crew. "These workers may be bonded, but replacing the server doesn't resolve the loss of information and the bad publicity that followed," he says.
The incident is also a reminder that an inventory of equipment "should always be maintained both on and offsite," Walsh says. "Although the loss appears to be accidental, until the device is recovered, the data it contains should be considered 'at risk,'" he adds.
"The main lesson here is that no matter how far-fetched or unexpected a threat is, disasters can happen and cause a devastating impact to an organization," Evans says.