Stolen or lost unencrypted devices have always posed a significant threat to healthcare entities throughout the United States for quite some time now. And a new breach report by the California Attorney General’s office confirms an ongoing problem. Unencrypted data has been identified as the major culprit in 131 breaches that has affected 2.5 million individuals in the state of California last year alone.
The report revealed that physical breaches involving stolen/lost unencrypted devices were larger and affected more number of people on an average. The law, requiring state agencies to report breaches involving more than 500 individuals, was enacted in California for the first time in 2012, and the state’s Attorney General Kamala. D. Harris recently issued the first public report detailing the breaches. Announcing the report, Harris said that data breaches are a serious threat to privacy, finances and personal security.
Encrypting digital personal information is the key to privacy and security, according to Harris, who said that encryption could have prevented defaulting organizations from putting over 1.4 million Californians at risk. However, it is noteworthy that California is not the only place where breaches involving unencrypted devices are reported. Over the past few years, the infamous ‘Wall of Shame’ in the US Department of Health and Human Services has seen a number of breaches involving unencrypted data, and most commonly mobile devices.
The breach report reveals that failure to protect physical information assets was the major cause of these breaches, affecting 40,223 people on an average. This is further proven by the fact that two of the five largest breaches, namely the breach at California Department of Social Services involving loss of a computer storage device, and the breach at Emory Healthcare involving missing storage disks, were in the ‘physical’ unencrypted category.
Although healthcare providers were involved in a few larger breaches in the state of California, the retail industry topped the list with 34 breaches, which is 26% of the total number of breaches. This was followed by the finance and insurance sector with 30 breaches, or 23% of the total. Healthcare came third with 19 breaches representing 15% of the total.
This report however offers certain key takeaways. Firstly, healthcare entities should know that encryption is a must, and that one good reason to get the encryption program started soon is the HIPAA Omnibus Rule, which necessitates encryption. Covered entities should remember that non-compliance under the HIPAA Omnibus rule can attract penalties up to $1.5 million per violation, and that the compliance deadline is September 23rd, which is just two months away.
The Attorney General’s report makes it obvious that enforcement related to encryption would be one of the top priorities of the office, and acts as a warning to healthcare entities about how to keep their names out of the breach totals for the coming year. Aegify Security Posture Management or Aegify SecureGRC can prove valuable at this point, by helping organizations prioritize their compliance initiatives and offering a framework of best practices to achieve compliance with the HIPAA Omnibus Rule.