Dedicated to providing the latest
HIPAA compliance news

St. Luke’s Cornwall Hospital Notifies 29K Patients of Data Exposure

Share this article on:

St. Luke’s Cornwall Hospital has issued a media announcement providing further information on the 29,156-record data breach that occurred on October 31, 2015. The hospital has explained that the breach occurred when an unidentified individual entered a restricted area of the hospital and stole a thumb drive containing a limited amount of patient data.

The device was unencrypted and contained patient names, medical record numbers, details of imaging services provided, and the dates of patient visits. Some administration information was also stored on the thumb drive, although no financial information, insurance details, health information, or Social Security numbers were compromised.

While the incident was discovered quickly, the hospital had to conduct an investigation to determine the exact data that were stored on the thumb drive and which patients were affected. The investigation has now been completed and patients have been notified by mail of the breach of their protected health information. The Department of Health and Human Services’ Office for Civil Rights was informed of the data breach on December 30, 2015.

Although only limited patient data were exposed and the risk of individuals suffering identify theft or financial losses as a result of the breach is relatively low, out of an abundance of caution St. Luke’s Cornwall Hospital is providing affected patients with identity theft recovery services for 12 months without charge.

The security breach has prompted St. Luke’s Cornwall Hospital to revise its policies on data encryption. All USB drives used by the hospital will now require a password to access data, and the devices will also have patient data encrypted.

The use of thumb drives and other portable storage devices carries a data security risk as they can all too easily be lost or stolen. To reduce the risk of further security incidents of this nature, St. Luke’s will be implementing IT systems that allow data access without the use of thumb drives.

OCR Takes Action over Portable Device Theft

 

Office for Civil Rights has been cracking down on HIPAA-covered entities that have suffered data breaches as a result of portable storage devices being lost or stolen. A number of settlements have been reached with organizations for potential HIPAA violations that led to the loss of portable devices and the exposure of ePHI.

Covered Entity Breach Type Records Exposed Date Settlement Amount
Cancer Care Group, P.C. Theft of Laptop/Unencrypted Backup Media 55,000 September, 2015 $750,000
St. Elizabeth Medical Center Theft of Flash Drive 595 July, 2015 $218,400
Adult & Pediatric Dermatology, P.C. Theft of Flash Drive 2,200 December, 2013 $150,000
Alaska DHSS Theft of USB Hard Drive 2,000 June, 2012 $1,700,000

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On