Staff Error Exposes 33K HIPAA Records at St. Joseph Health
Even with the best defenses in place, HIPAA violations can occur, as the Santa Rosa Memorial Hospital in Northern California recently discovered. The hospital, operated by the St. Joseph Health system, recently reported that an error made by a member of staff at the hospital resulted in the data of 33,702 patients being obtained by a thief.
The theft occurred during a burglary at the hospital’s Redwood Regional Medical Group offices. The facilities were broken into and the thief – or thieves – managed to find a thumb drive on which the unencrypted records of almost 34,000 patients were being temporarily stored.
The unencrypted thumb drive had been put in an unlocked staff locker overnight. In the morning, when the break in was discovered, the member of staff concerned realized that the thumb drive was missing. The theft was reported to law enforcement officers, although the perpetrators have not been identified and the thumb drive has not been recovered, although the investigation is continuing.
The thumb drive was being used to temporarily store backed up data from the radiology department while the hospital implemented a new electronic medical record system. The data stored on the thumb drive included personal identifiers such as names, addresses, gender, dates of birth, appointment and treatment dates and times, the body part x-rayed, the name of the radiographer who performed the diagnostic service and the level of radiation the patient was subjected to.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Patients who visited the hospital for diagnostic imaging services between February 2, 2009 and May 13, 2014 are likely to have had their data compromised. The hospital confirmed that other medical records, Social Security numbers, insurance details and financial information were not exposed in the incident.
The hospital does not believe the risk of identity theft to be high, nor does it believe that any of the data has been used inappropriately, but as a precaution all affected individuals will be offered 12 months of credit protection services without charge.
In response to the HIPAA breach the hospital released a statement to reassure patients. The statement read “We take our obligation to protect patients’ privacy very seriously, and apologize for any concerns or inconvenience to patients and their families that this causes.” The president of St. Joseph Health in Sonoma County, Todd Salnas also said that “Following this burglary, we immediately heightened security measures and training at our new Sotoyome Drive facility, and are committed to preventing such an intrusion from happening again.”
While the statement will reassure some patients, those who have been using the hospital’s medical services for some time may remember that this is not the first time the healthcare provider has suffered a HIPAA breach. In 2013, the theft of an unencrypted electronic device exposed the data of 1,000 St Joseph Health patients and in 2012, the theft of another unencrypted device resulted in 31,800 confidential patient records being compromised.
A 2010 burglary at the offices of St. Joseph Heritage Healthcare also resulted in 22 computers being stolen along with the data of some 22,000 patients. The hospital system may be “committed to preventing such an intrusion from happening again”, but many will feel that action should have been taken prior to the latest incident to secure data; given the history of HIPAA breaches at SJH.
Had the healthcare provider taken the decision to encrypt data after any of the previous breaches, the latest incident could have been avoided. The thumb drive may still have been stolen, but if the data had been encrypted there would be no HIPPA breach. While the Office for Civil Rights has not been fining every violator of HIPAA Rules, repeat offenders are likely to attract the department’s attention and in such cases financial penalties often follow. These can be as high as $1.5 million per violation.