Laptop blunders (5×8 – 9/28/11)

Privacy’s weak link, decency dies in Superior, Minnesota at high speed, a lake logo a day, and the last day of Minnesota baseball.


1) PRIVACY’S WEAK LINK

“Human error” is being blamed for exposing the private information of 14,000 patients at Fairview Health Services and 2,800 at North Memorial Medical Center. That’s a nice way of saying someone did something incredibly stupid when a laptop with private information was stolen from a car in the parking lot of a restaurant.

“The laptop should have been encrypted which would render the information on the laptop unreadable,” Lois Dahl, Fairview’s head of privacy told MPR. “But there was a process breakdown and human error caused that encryption process not to be on that computer.”

A “process breakdown?”

“The assumption was the information was safe,” Dahl told the Star Tribune. That’s the same assumption the person with the laptop — a private contractor — had when leaving the laptop in the car at a restaurant and ate his/her last meal as an employed person. Maybe. We don’t know that for sure because of privacy rules.

The official says it’ll be hard to break into the computer because it has a password. But if a contractor is dumb enough to leave a laptop with thousands of valuable names and data on it in a car at a restaurant, what are the odds the password isn’t “password?”

“Someone would have to use technical measures beyond the average person in order to get at the data on the device,” Dahl said. But identity thieves aren’t normal people and, the only assurance that the existing password is secure is because the company that didn’t encrypt the data and didn’t protect the laptop said so.

Who’s responsible for this sort of blunder? At North Memorial, officials punted when the Pioneer Press asked:

At North Memorial, Accretive Health is helping to “streamline its insurance, patient and billing systems,” spokeswoman Wendy Jerde wrote in an email. It’s a “question for Accretive,” she wrote, to explain why an employee working on such a project would need patient information on a laptop.

Last month, a California hospital learned that one of its contractors had posted private data of 20,000 emergency room patients to a public website, where it stayed for more than a year.

In the last two years, in fact, the medical data of more than 11 million people have been exposed, according to the Department of Health and Human Services. Twenty-two thousand people were affected in Minnesota, not including this latest leak.

Many of the cases involve private firms contracted by the hospital, much of the data was unencrypted when it disappeared, though the firms assured their hospital clients that it was.

That fact is one clue to what hospitals can do to minimize the possibility of misery for its patients: Get a second opinion on that encryption thing.

NewsCut has a lot of I.T. professionals in its audience. Let’s hear from you: Big deal or much ado about nothing? (Update: See comments for analysis)

2) DECENCY DIES IN SUPERIOR

Someone pried plaques off grave markers at a Superior cemetery. A brass plaque at the gravestone of a woman who hasn’t died yet may have been taken for its scrap value. Ellie Hanson told the Duluth News Tribune she was going to put an ad in the local paper. “It was going to say: Whoever stole the marker on my grave, I’d like to have it back. I plan on dying soon.”

Donna Polaski, the sister in law of a woman whose grave was similarly vandalized told the paper things have gotten out of hand. “You can’t leave anything out overnight or it’ll be gone,” she said. “It’s disgusting.”

3) MINNESOTA AT HIGH SPEED

Andrew Cross yesterday uploaded this video he made during the summer. Spot your favorite Minnesota scene. It’s a neat production.

Andrew Cross Timelapse Reel 2011 from Andrew Cross on Vimeo.

Last night was supposed to be prime viewing for the northern lights in this part of the world. Clouds prevented any sightings in the metro. We have no reports of any being spotted up north.

4) A LAKE LOGO A DAY

Designer Nicole Meyer was raised near lakes in the suburbs of Madison, then studied in Minnesota. “Growing up I was basically surrounded by lakes,” she tells Co.Design. After college, she moved to Phoenix and there aren’t many lakes in Arizona, let alone 10,000 of them (psst, many of them are actually “ponds,” Minnesota). She missed us. So she “decided to pay tribute to it: by designing a logo a day for each of Minnesota’s 10,000 lakes. According to our count, the project will take about 27 years. Twenty-seven years!”

As of this week, she has about 75 logos completed. Like this:

cass_lake_logo.jpg

Another Minnesota moment: Paddling the Boundary Waters and Quetico…

Here’s equal time for you, South Dakota. Bethany Naab, who writes the One Girl Trucking blog, gets out of the truck and explores the Fort Randall Church in her latest post.

Azza Al-Shamasi tried to do the same thing as Bethany — get behind the wheel and drive. For that she was sentenced to 10 lashes yesterday.

5) THE LAST DAY OF MINNESOTA BASEBALL

The Twins play their last game today at The House That Rene Tosini built. This date in history is a bad, bad day for the franchise. It was 16 years ago today that Kirby Puckett took a Dennis Martinez pitch in the eye. He never played another game.

It was a brutal scene because Puckett looked convinced the pitch would break. Only at the last second did he turn his head, and by then it was too late. Blood pooled on the ground. Puckett’s teammates ran to his aid.

At their feet was Kirby Puckett. Laid out in the batter’s box was Minnesota baseball.

When Puckett stood a few minutes later, a towel colored crimson by blood covered his mouth. After the game, Knoblauch said, “I still can’t believe how much he was bleeding.” .

It was also 33 years ago today that Calvin Griffith told a Waseca Lions Club meeting why he moved the team from Washington. “I found out you had only 15,000 blacks here,” he said.

Bonus: Today’s science video:

Even more bonus: We have a winner in the lawn mower endurance rally!

TODAY’S QUESTION

Faith has always been a powerful force in American politics. But clergy who preach politics from the pulpit could endanger the tax exempt status of their organizations. Today’s Question: Are limitations on clergy political speech a good thing?

WHAT WE’RE DOING

Midmorning (9-11 a.m.) – First hour: The debate over the validity of eyewitness identification.

Second hour: What’s the current state of the Social Security trust fund and what impact would suggested changes have on millions of Americans who receive financial aid through the program?

Midday (11 a.m. – 1 p.m.) – First hour: Former Sen. Dave Durenberger discusses the impact of federal health care reform and efforts to repeal it or have it ruled unconstitutional.

Second hour: Former U.S. Comptroller General David Walker, speaking to the St. Paul Chamber about his “Comeback America Initiative.”

Talk of the Nation (1-3 p.m.) – First hour: Political chatter with “The Political Junkie.”

Second hour: The grueling life of a model.

All Things Considered (3-6:30 p.m.) – Rep. Michele Bachmann speaks at Liberty University, a conservative college in Virginia today. MPR’s Brett Neely will be there.

Renowned St Paul composer Stephen Paulus teamed up with his son, Greg, to write TimePiece, a three-movement composition for orchestra and jazz ensemble, which will be presented as a world premier element ion the Minnesota Orchestra’s season opening concerts. Euan Kerr will have the profile.

  • Heard about the logo designer in one of those bottom of the hour filler bits on NPR.

    I had an ambition once to try and photograph as many lakes I could. I stopped when I realized just how long it would take me, and how much it would suck out of me taking photographs of other things…

  • Another Bob

    Saying the data is secure because there is a “password” is 100% false. Unless the data is encrypted, all an identity thief would have to do is pop a Knoppix or other Linux Live CD into the laptop, bypassing the Windows password entirely and allowing total access to all the data on the laptop.

    And while this may be beyond what the “average person” can do, it’s something that the average person could learn to do in about 5 minutes.

  • Joe Busch

    Encryption on a laptop with private data – HIPAA stuff in this case, it sounds like – is a Big Deal (TM).

    There’s a rule of thumb with computers. If you have physical access to the machine, then you have access to the data on the machine. All the passwords are trivially bypassed once you’ve actually got the machine in your possession – except for encryption. Full disk encryption is the most effective way to secure the data. In most cases, a stolen laptop with full disk encryption can be safely thought of as a hardware loss only, with the data remaining secured.

    Of course there are edge cases and bad behavior and a few technical attacks based on certain circumstances that allow that to be bypassed too, but they’re far from trivial. Bypassing passwords is trivial.

  • bench

    The northern lights were out up here in Duluth last night according to the Duluth News Tribune and also two nights ago for a very brief time, when I snapped this photo during a slight break in the clouds around 9pm.

  • Jeb

    Unless it’s encrypted, a password does nothing to stop an identity thief. At least the average consumer computer with Windows will show all the data on the computer if you connect the drive to another computer.

    Takes about $20 in hardware and about 30 seconds.

  • Mitch

    The point where I became aware of Schrodinger pretty much marked the end of my career in quantum physics. In some alternate universe, there is a version of me that gets it. In this life, I’m mostly covered in cat goo wondering what the heck just happened.

    Keep the science stuff coming!

  • Snyder

    The way to avoid problems like with this laptop theft is to maintain it on a network that you log into and don’t allow it to be downloaded.

    I should think there would either be a way to either prevent downloads from the network database or alert IT staff that data has been downloaded from the network so that they can investigate it and then discipline whoever violated the policy.

  • Dave V

    Re: Stolen Laptop, One single person, Bradley Manning, at the rank of ‘private’ supposedly had complete access to ALL the classified U.S government documents now in the hands of Wikileaks. I’m amazed this Minnesota patient data is newsworthy when the Classified system of the U.S. government goes unscrutinized!

  • Jim Shapiro

    God bless Bradley Manning, and long live Wikileaks.

  • Bob Collins

    Yes, if only there had been some examination of the classified system.

  • Jim Shapiro

    Calvin Griffith the racist and Kirby Puckett the rapist.

    Think perhaps that they’re fated to pass eternity seated next to each other, watching the 2011 Twins? 🙂

  • Bob Collins

    In the interest of historical accuracy, I should point out here that Puckett was cleared of sexual assault charges. The court of public opinion was a different matter.

  • Jim Shapiro

    Sorry. I used a little poetic/comedic license with that one.

    Calvin Griffith the racist and Kirby Puckett the accused defendant found not guilty of sexual assault charges and served with a restraining order by his wife because he tried to strangle her with an electrical cord and held a gun to her head as she was holding their daughter doesn’t have quite the same ring to it. 🙂

  • JackU

    On the laptop data encryption question, I’ll agree with everyone else who comments that a password doesn’t matter if I have access to the hardware. When I was teaching introductory courses on computers and networking one of the things I stressed with my students was that all the high powered security software in the world won’t help if I have access to the physical system. I can screw up your business with a screwdriver and a 2 lb drilling hammer. You will be hoping that your backups are current.

  • Jack Hammer

    Passwords, encryption … blah!

    Any hacker, um, I mean cracker with any savvy can get the data in minutes. Put it on “the could,” a standard HDD, a solid state HDD, flash drive, network, whatever. It isn’t that hard to get to.

  • vjacobsen

    My husband in a hard drive genius. OK, not really, but he’s pretty close. And so I’m not an IT person, but I do know this: to really, properly encrypt a hard drive, it takes a long time. (A week, I think?) It can be VERY hard to convince some managers that it’s worth the time it takes. He’s had some stories over the years…but he tries to get people to understand how important of a process it is.

  • Chris Thompson

    @vjacobsen:

    Nope. I can do drive encryption by default in my installations of my OS (Ubuntu Linux). The actual mechanism for performing it allows individual parts to be accessed and updates with little loss of performance.

    You may be thinking of supposed “military spec” drive *wiping*, where the entire disk contents are zeroed out and then rewritten with random bits over and over again.