DHHS violated state security standards for data on laptops
Posted November 14, 2008
Raleigh, N.C. — The loss of a laptop last month from the Department of Health and Human Services put patients at risk of identity theft because the data was not encrypted – a violation of state security standards.
That's according to a Nov. 6 memo to DHHS Secretary Dempsey Benton from the state's chief information officer, George Bakolia.
In addition, Bakolia said DHHS might have been in violation of other standards regarding the safekeeping of data stored on laptops.
This year, the agency has reported 10 laptop thefts, two of which were confirmed to have contained personal information and another two which could have, Bakolia said.
"None of the stolen laptops was encrypted. This record of non-compliance is unacceptable," he said.
Two others were reported missing, according to the state Office of Information Technology Services.
The latest theft occurred last month in Atlanta while an employee of the state Division of Aging and Adult Services was returning from a conference.
The state has contacted patients whose information might have been on the laptop. Anyone with questions or concerns can call the DHHS's CARE-LINE, Information and Referral Service at 1-800-662-7030 or 1-877-452-2514.
Bakolia said DHHS was supposed to be in compliance by Nov. 1 with a recent state policy requiring all laptops be encrypted.
Benton, in a Nov. 14 letter, responded saying DHHS is "as concerned as anyone over the protection of confidential data" but that it has taken time to implement the policy in the department because its offices are all over the state.
Each division of DHHS must submit a status report to his office by Nov. 20 detailing where they stand on complying with state policy, Benton said. His office has also prohibited employees from removing sensitive informaton from DHHS offices unless it has been encrypted.