Back in July 2013, four computers were stolen from a large health care provider in Illinois, USA.
That’s because the computers contained Personally Identifiable Information (PII) of patients going right back to the 1990s – four million of them, in fact.
The computers were password protected, whatever that means, but the data on their hard disks was not encrypted.
In theory, then, if you were to put the hard disks into another computer, or boot the “protected” computers from a CD or USB key, you would almost certainly be able to copy off any or all of those four million records.
The stolen data is said to have contained at least names, addresses, dates of birth and Social Security numbers (SSNs).
SSNs are the closest thing that the US has to a national identity number, giving them an influence in identity and identification that they don’t really deserve.
With your address, date of birth and SSN, an identity crook has a pretty good shot at committing fraud in your name.
So, Advocate has apparently already been hit with the expense (and hassle) of contacting the affected patients, and of offering them a year of free credit monitoring.
Credit monitoring services aim to keep their eye on financial transactions carried out in your name, helping you to spot fraudulent activity on your existing accounts, as well as attempts to open new accounts that you might otherwise know nothing about.
Now, things have just got a whole lot more onerous, with the filing of a class action suit that could end up pitting millions of individuals against Advocate in court:
This is a consumer class action lawsuit brought by Plaintiffs, individually and on behalf of all other similarly situated persons (i.e. the Class Members), whose unencrypted personally identifiable information and personal health information — names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, their medical diagnoses, medical record numbers, medical service codes, and health insurance information (collectively referred to as "PII/PHI") — entrusted to Advocate was stolen by a thief or thieves while in the possession, custody, and control of Advocate.
(You have to love lawyerly English. Why not use three words when none would have done? The data wasn’t just stolen from Advocate, it was stolen from the company’s possession, custody and control.)
Class actions of this sort can end up expensive for the defendant (and lucrative for the lawyers, I must add, which may help to explain their propensity for pleonasm).
Facebook, for example, recently paid out a settlement for attaching its users’ names and photos to online ads without permission; the bill for that, which involved just over 600,000 eligible claimants, came to $20 million.
The chief lawyer of the company that has taken on the class action against Advocate said:
In this age of advanced technology, Advocate had to realize that its unorthodox methodology for maintaining important and private data posed a risk to the safety and security of their patients.
I don’t mean to excuse Advocate’s lapse, and I don’t disagree that the company should have realised the risk it was taking, but (for all the wrong reasons) I’m not so sure about the word “unorthodox.”
In my experience, encryption is still a technique more honoured in the breach than in the observance, with an awful lot of the world’s PII stored in plaintext.
At the end of 2011, for example, we bought a stash of USB keys from an Australian train company’s lost property auction, interested to see what we might find.
We ended up with 50 USB keys containing 4443 directly readable files, ranging from movies and images, through tax records and software source code, to the minutes of an activists’ meeting.
The number of encrypted files we found?
We need to change the world so that storing data unencrypted really is unorthodox.