From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was not. Specifics on what was stolen:
The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the health system. Some of the records also included patient financial information.
Funny. A guy at Ameriprise (foolishly) takes his work home and gets canned for it. Meanwhile, the exact same activity is mandatory at another regulated institution.
(BTW, sorry if I sound snarky — low on caffeine at the moment)
Update 02/04/2006: The police report is now available online. It is very interesting. It’s also worthy of note that a single individual whose PII was stolen has so quickly created a community web site dealing with the breach through which his information was revealed.