Data Breach Highlights Danger of Using USB Drives to Store PHI
The Man-Grandstaff VA Medical Center in Spokane, WA has discovered two USB drives containing the protected health information of almost 2,000 veterans have been stolen.
The two devices were being used to store data from a standalone, non-networked server that was being decommissioned. One of the devices was the master drive used to move the medical center’s Anesthesia Record Keeper database to its virtual archive server. According to a statement issued by the medical center, that transfer had taken place in January. It is unclear why the database was still on the drive.
The devices were stolen on July 18, 2017 from a contract employee while on a service call to a VA hospital in Oklahoma City.
Man-Grandstaff VA Medical Center was not able to determine exactly what information was stored on the USB drives, although the database on the virtual archive server was checked and found to contain full names, addresses, phone numbers, surgical information, insurance information, and Social Security numbers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
1,915 individuals who have potentially been affected are being notified of the breach by mail and have been offered credit monitoring services for 12 months without charge.
In September, the same medical center announced another data breach had occurred. An unencrypted laptop computer that was used as an interface with a hematology analyzer was discovered to be missing. The data on the laptop included names, dates of birth, and the Social Security numbers of approximately 3,200 veterans. Following that breach, the medical center implemented a system that allows devices to be remotely sanitized in the event of loss or theft.
HIPAA Compliant Alternatives to USB Drives
While transporting or storing data on small portable devices such as USB, pen, or zip drives is convenient, the devices are easily misplaced, lost, or stolen. The loss of a USB drive containing PHI is a reportable breach and one that could potentially result in a significant regulatory fine.
There are now many cloud-based storage options that allow data to be easily accessed and shared. Covered entities still using these small portable devices to store PHI should consider banning the use of the devices and switching to HIPAA-compliant cloud-storage.
Prior to using any cloud storage service, HIPAA covered entities should obtain a signed, HIPAA-compliant business associate agreement and train employees on the correct use of the storage platform. Alternatively, secure, HIPAA-compliant text messaging platforms can be used to share PHI securely.
If the use of USB drives is unavoidable, any PHI stored on the devices should be encrypted to prevent unauthorized access in the event of loss or theft, or an alternative security measure that provides an equivalent level of protection.
