Two instances of health data breaches this week served as a stark reminder that the wayward laptop -- and not the hacked database -- might be the more insidious information security threat to government healthcare organizations and their beneficiaries.
The Veterans Affairs Department reported the theft of an unencrypted laptop with personal information of up to 616 veterans from an employee of a health services organization that does work for the department.
In New Mexico, the state's Health and Human Services Department reported May 11 that a breach of personal information may have affected 9,600 Medicaid Salud! Plan and Fee-for-Service members.
The VA said it had notified the veterans and was providing them with credit monitoring for one year. "The contractor self reported the incident and has disabled the user account and server access from the stolen laptop. No further access from this laptop is possible," said VA spokeswoman Katie Roberts in a statement May 13.
The statement was in response to a letter from Rep. Steve Buyer (R-Ind.), the ranking member of the Veterans Affairs Committee, to VA Secretary Eric Shinseki, inquiring about gaps in contractors' information security safeguards that may have contributed to breaches.
Buyer said in an announcement also on May 13 that he was notified of two data breach incidents in Texas within a two-week period. In addition to the laptop theft affecting more than 600 veterans, Buyer said a service-disabled veteran-owned business with 69 contracts across VA's healthcare environment also experienced the theft of a company laptop. He provided no other details about that breach.
VA reported the data breach to the committee, a measure put in place after a laptop with personal information of millions of veterans was stolen from a VA employee in 2006. That laptop was recovered and the information had not been accessed.
Among other safeguards, VA requires its vendors to apply information security controls to protect sensitive information and includes a clause to that effect in its contracts. As part of its security policy, VA also conducts security awareness training and requires encryption of laptops and desktops.
With all these and other measures that VA has established to protect veterans' information, Buyer questioned in his letter "why unencrypted devices are still accessing the VA's networks and storing information locally."
To ensure that the contractor that reported the data breach is beefing up security safeguards, VA said it will conduct an onsite audit and assessment of the contractor's facility and their scope of compliance with all IT security, information physical security, privacy, and records management requirements.
VA will also perform an independent verification of compliance with security requirements in all contracts that require vendors to store veteran personal health information and employee personal identifiable information.
In the New Mexico breach, DentaQuest, a company that processes claims and provides dental benefits for the state's Medicaid program, reported that an employee of one of its sub-contractors, West Monroe Partners, had an unencrypted laptop in the trunk of a car when the vehicle was stolen in Chicago on March 20. The state is in the process of notifying the affected individuals.
The computer was password protected but did not have other safeguards to prevent unauthorized access to the information. At this time, the stolen car and laptop have not been recovered, and it is not known whether the information on the laptop has been accessed.
The human services office said it is working with its health plan partners that administer the Salud! Plan, including Blue Cross and Blue Shield of New Mexico, Lovelace Health Plan, Molina Healthcare, and Presbyterian Health Plan, to make sure that they, as well as all subcontractors, develop appropriate security measures.
