Dedicated to providing the latest
HIPAA compliance news

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

Share this article on:

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO.

The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or contact information were stored on the device. Due to the limited data stored on the device, patients are not believed to be at risk of experiencing identity theft or fraud.

The portable device was stolen from DePaul hospital overnight between April 12 and the morning of April 13, 2017. The theft has been reported to the local police department and an investigation into the incident is ongoing.

The device, which resembles a laptop computer, was part of an electromyography (EMG) medical device. Officials at DePaul hospital believe the device was stolen because it resembles a laptop computer, not for the information stored on the device. No evidence has been uncovered to suggest any data on the device have been misused.

SSM Health has confirmed in a substitute breach notice uploaded to its website that the device was solely used in conjunction with the EMG device and that it is not possible to access patients’ medical records through the device.

Affected individuals had been participating in an electro diagnostic study run by Dr. Syed Khader and had received treatment at the hospital between 2002 and 2017. No other patients of the hospital were affected by the incident.

Patients have been notified of the breach as is required by Health Insurance Portability and Accountability Act (HIPAA) Rules and the Department of Health and Human Services’ Office for Civil Rights has been notified.

Action has already been taken to ensure similar incidents do not occur in the future, including tightening security controls through written procedures and retraining staff on the correct handling of patient information.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On