HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hard Drive Theft Sees Data of 1 Million Individuals Exposed

Washington State University (WSU) in Seattle is notifying approximately 1 million people that some of their personal information has been exposed following the theft of a computer hard drive.

The hard drive was used to store backup information from a server used by the University’s Social & Economic Sciences Research Center (SESRC). The hard drive was stored in an 85lb locked safe. That safe, along with the contents, was stolen.

There is a possibility that the safe has been opened and the information on the hard drive has been accessed. The thieves would require some skill to view the information as data were stored in a relational database which is not straightforward to access, although it is possible that the thieves could figure out how to view the information.  WSU says some of the files on the device were password protected and some had been encrypted.

The University discovered the safe was missing on April 21, 2017 and immediately conducted an investigation. WSU brought in a leading computer forensics firm to determine which data were backed up on the device and could potentially be accessed. That investigation revealed the device contained personally identifiable information of research participants, including names, addresses and Social Security numbers. The data came from a variety of sources, including school districts and colleges that track students after graduation and ran from 1998 to 2013.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

WSU cannot confirm if the safe was opened or if the information on the drive was accessed, although it has received no indications that information has been viewed. However, as a precaution, all individuals impacted by the incident are being offered membership to Experian’s ProtectMyID service for 12 months without charge.

The incident has prompted WSU to perform a thorough review of its IT practices and policies and information technology operations will be strengthened as a result of the breach. Staff will also receive additional training on data handling best practices.

The data breach will prove costly for WSU. The recent Ponemon Institute/IBM Security Cost of a Data Breach Study calculated the average cost of university data breaches to be $245 per exposed record, although some of that cost is likely to be covered by the university’s cybersecurity insurance policy.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.