The drives were being transported to an offsite storage location when the theft occurred, on 13 February. ISMA went public with the breach on Monday, having apparently sent out letters to those affected a few days earlier, three weeks after the incident.
Data on the drives includes at least the standard set of personal details, such as names, dates of birth, health plan ID numbers, and physical and email addresses. In some cases it also includes Social Security Numbers and/or details of medical history.
Those affected should already have been told what level of information about them may have been leaked.
ISMA’s statement claims the data on the drives “cannot be retrieved without special equipment and technical expertise”, although it’s not clear if that equipment and know-how means anything more than a computer to connect the drives to and the skills to plug them in and mount them.
There’s certainly no mention of strong encryption being applied to the records, implying that they were stored relatively insecurely.
ISMA has posted a detailed FAQ for those affected, and will provide credit monitoring services for those who want them – the deadline to apply for this is 8 June 2015.
Many of them may already have availed themselves of ID protection, as there’s likely to be a considerable overlap with the epic Anthem breach, which affected huge numbers of people across the US.
As Paul Ducklin recently pointed out, medical information is highly sensitive, opening up all sorts of opportunities for social engineering and identity theft.
All such data needs to be properly secured, to protect it not just from hackers as in the Anthem case, but also from inadequate anonymisation when referenced online, and of course from the many dangers of the physical world.
Backups are of course a vital part of any security and integrity regime, but it’s worth remembering that they also bring some added security risks of their own. Backed-up data needs to be stored securely, ideally in a separate location from the master copies, and transporting data is always a fragile part of the chain.
We routinely hear of data being lost in the post, devices being mislaid in trains, planes and taxis, and even records simply falling off the back of trucks.
In this case, the incident is described as a “random criminal act”. The proper tactic to mitigate this risk is not heavily-armed security guards escorting couriers to backup storage locations, but something much simpler and cheaper.
All data considered sensitive or important should be strongly encrypted as a matter of routine when immediate access is not required.
Off-site backups in particular should be locked down as strongly as possible, given that decryption time will not add significantly to the restore process.
Keeping data well encrypted adds another layer on top of the security of storage facilities, and minimises the danger from “random criminal acts”, and even carelessness, when data is in transit.
Image of doctor courtesy of Shutterstock.