Breach Incident Triggers Encryption
4,000 Youths Affected by Hard Drive TheftMaryville Academy in suburban Chicago says in a statement on its website that it discovered on Feb. 1, 2011, that the secondary back-up portable hard drives containing information on nearly 4,000 children and adolescents who received services at the academy had been removed from a locked room. The breach occurred between Jan. 25, 2011, and Feb. 1, 2011, and affected those who were served between 1992 and 2011.
Information on the drives included some Social Security numbers as well as names, dates of birth, Department of Children and Family Services identification numbers, and historical information on children and their families, including treatment plans, medications and reports on behaviors. The academy says it has no evidence that anyone has attempted to access, use or disclose the data.
In a much more detailed report of its actions in the wake of the breach than has been provided after many other recent incidents at other organizations, the academy states:
"All data security policies and procedures have been reviewed and updated, including the maintenance of back-up hard drives. To protect against any future breaches, Maryville Academy has changed the location of its local site and the manner for storing any back-up hard drives and has upgraded the security for this purpose.
"In addition, Maryville Academy is now in full compliance with the U.S. Department of Health and Human Services' recommended procedure of using data encryption to protect clients' health information. Maryville Academy has begun a practice of using specialized security software to completely encrypt all the records on these back-up hard drives. This encryption software scrambles the data on the back-up hard drives, which makes the information unusable in the event they are ever lost or stolen in the future."
The incident is not yet listed on the HHS Office for Civil Rights' list of major healthcare information breaches. Under the HITECH Act breach notification rule, all breaches must be reported to OCR and the individuals affected. Major breaches, those affecting 500 or more individuals, must be reported to OCR within 60 days, while smaller incidents can be reported annually.