A dentist in the Napa Valley (California, USA) has learned the hard way the importance of encryption. Protecting data at rest (live and archived) is just as important as protecting data in use and in motion.
Napa Valley Dentistry recently notified current and former patients of the physical theft of a server containing their personal information including their social security number.
Someone broke into our locked storage unit, which was within a gated storage facility, and stole a password-protected server. Upon discovery of the theft, we promptly notified the Napa Police Department and will provide whatever cooperation is necessary to identify the perpetrator(s) and hold them accountable. On September 8, 2016, we confirmed that your personal information may have been on the server. In December 2012, Dr. Justin Newberry, DDS, purchased Napa Valley Dentistry, including this server, from Dr. C. Michael Quinn, DDS. The server may, therefore, contain personal information of Dr. Quinn’s former patients who may not currently have a relationship with Napa Valley Dentistry. While there is no indication that your personal information was, in fact, accessed without authorization, we are notifying you out of an abundance of caution and offering you identity protection services.
What information was involved?
The information included names, addresses, dates of birth, Social Security numbers and dental insurance information."
It's good that the Dentistry notified current and former patients of the data breach and even better that they did the right thing in offering credit monitoring and identity protection services for twelve months. What is not mentioned is whether or not the data is encrypted.
On encryption, I'd make two points.
- Encrypt your backups as well as your live data.
Don't forget to encrypt your backups. Backups hold all the same data as your live system.
- Ensure you hold the encryption keys.
Using "the cloud"? You may think you're ok as you don't store your own server or backup data. If you use a cloud environment, ensure that you / your organisation holds the encryption key and not the service provider.