Dedicated to providing the latest
HIPAA compliance news

FHN Memorial Hospital Announces Hard Drive Theft and PHI Exposure

Share this article on:

FHN Memorial Hospital in Freeport, IL., has announced that a computer hard drive was stolen from the hospital in December, 2015. Spreadsheets and internal reports were stored on the drive which contained the protected health information of many of its patients.

No medical records were stored on the drive although a considerable amount of PHI was detailed in the reports and spreadsheets. Those data include patients’ name, address, telephone number, ethnicity, date of birth, medical record number, patient encounter number, patient ID number, dates of service, medical diagnoses, details of procedures and examinations performed at the hospital, prescription information, referring physician name, insurance details, and discharge date.

Patients are in the process of being notified of the exposure of their PHI and are being advised of the procedures they can follow to reduce the risk of harm or loss as a result of the data exposure. It is not clear at this stage how many patients have been affected or if credit monitoring and identity theft protection services are to be offered to affected patients.

The hard drive was stolen on December 30, 2015., from an area of the hospital not open to the public. A news release indicates this was the secure private office of an employee of the hospital. The hospital is treating this as a criminal matter and the theft is being investigated by the Freeport Police Department.

The internal investigation into the incident has taken some time to conduct. At first it was unclear which data were stored on the drive, and it was only recently that the hospital determined that patient data had potentially been exposed after examining data backups.

FHN Memorial Hospital has taken a number of steps to reduce the risk of future equipment theft and has enlisted the services of a consulting firm to help improve security at the hospital. Some of the measures being implemented include enhanced network monitoring and computer encryption. Previously encryption policies had only been applied to devices used to store PHI that were used in non-secure areas of the hospital. This will be extended to devices used in secure internal areas not open to the public. FHN will also be carefully monitoring the medical records of all affected patients.

The deadline for reporting breaches of PHI to the Department of Health and Human Services’ Office for Civil Rights has now passed. Details of the number of individuals affected by the breach should therefore appear on the OCRs breach portal in the next few days.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On