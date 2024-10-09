A medical practice administrator had work to do over a holiday weekend, so they took their work laptop home. This person was a long-standing employee, well-liked and had great employee reviews — the type of individual any organization would trust to be a responsible caretaker of any sensitive data in their possession.

The particular work laptop the employee took home contained patient information subject to HIPAA protections, as well as financial data that could very quickly do the organization damage if it fell into the wrong hands.

On the first workday after the holiday weekend, the medical practice received a phone call. A family member called to inform them that the administrator had died, killed in an auto accident.

Workers at the medical practice were appropriately distraught over losing the coworker they had known for years and offered their condolences to the family and each other. At the same time, there was concern about the laptop and the sensitive information it held. The family was informed about the need to return the laptop to the medical facility, but it could not be found.

The medical practice was now faced with the possibility of having to report the situation as a data breach, but still wanted to make sure the data would remain secure and private. The organization used a Managed Service Provider (MSP), which implemented security tools across the medical practice’s devices, including encryption and remote data security tools, like revocation of access, remote data wiping and other security and reporting tools.

The MSP quickly performed a check of the computer and discovered that it was indeed connected and online. By deploying another anti-theft tool, it was possible to activate the laptop’s webcam to see where the laptop was, and who was using it.

The image revealed none other than the deceased administrator — very much alive and holed up in an RV in the desert. Apparently, they were watching YouTube videos with a new dirt bike resting against the wall. The police were contacted, and further traces located the rogue employee’s position. The authorities discovered the administrator with the stolen laptop, USD 8,000 in cash, and soon learned that the RV was stolen as well.

Encryption would not have been enough on its own (since the administrator had the credentials). What was important was the ability to remotely remove access and remotely wipe sensitive data from a device altogether.