Share this article on:
Penn State Hershey Medical Center, in accordance with HIPAA Rules, has issued a breach notice out of an “abundance of caution” after an employee copied Protected Health Information (PHI) onto an unencrypted flash drive, took it home, copied it onto his home computer and emailed it to a couple of doctors authorized to view the information.
The healthcare provider does not believe any information was inappropriately viewed by any unauthorized individuals, but has proceeded with a breach response to ensure that all patients are aware of the incident to allow them to take precautions should they wish to do so.
Following the discovery, the hospital initiated an investigation to determine the data that could potentially have been exposed in the incident, and to find out if any information had been improperly accessed. That investigation did not cover any evidence of disclosure of PHI.
However, the possibility that data has been viewed by unauthorized individuals or has been copied cannot be eliminated, hence the issuing of breach notification letters.
1,801 Potential Affected by Health Data Breach
1,801 patients have potentially been affected by the breach. No financial information or Social Security numbers were in the data, but it did contain health information including the names of laboratory test results, the date that a patient had visited the center, and the test results themselves. The data was tied to the patient by their name and medical record number. The data is restricted to individuals that took a specific type of medical test between specific dates: August 2013 and March 26, 2014, who had visited one of the healthcare provider’s Women’s health and family practice clinician offices. The data breach was discovered on April 11, 2015.
According to the breach notice issued by PSHMC, the laboratory assistant had been give authorization to access PHI as this was required for work purposes. The employee had entered information from the laboratory results into a test log, and took it home to work on.
The employee’s home system was outside of the control of the medical center, and potentially the information could have been exposed or viewed by external parties. That was not the only violation of hospital policy. PHI was copied onto a flash drive which was used to transfer the data from the hospital system to the employee’s home computer. That information was then attached to a personal email account and sent – via an unencrypted network – to two different physicians.
In order to prevent future incidents from occurring PSHMC will be “increasing education efforts with employees, focusing on the essential responsibility of all staff to safeguard patient health information at all times and follow proper practices for doing so.”
It is not known whether the employee in question had not received training on HIPAA Rules, did not understand the significance of the actions he took or if it was blatant disregard of hospital/HIPAA Rules. While this is in all likelihood was an isolated incident, it is one which could easily occur in hospitals all over the country.
This incident highlights the need for training on HIPAA rules, and reinforcement of data privacy and security rules periodically. A simple error of judgement could land both and employee and a healthcare provider in serious trouble. It is therefore essential that HIPAA Rules are not forgotten by the staff.