Share this article on:
Ohio’s Akron Children’s Hospital has reported the loss of a hard drive used to store backed up copies of voice recordings of conversations between medical staff and dispatchers. The backup drive was physically secured under lock and key at the hospital, but the data was not encrypted.
An investigation into the equipment loss was conducted by hospital staff as soon as the driver was discovered to be missing. According to Akron Children’s Hospital’s COO, Grace Wakulchik, “Our internal investigation indicated the hard drive was lost and nothing malicious was involved.”
Since the storage facility was in a secure location of the hospital, it is highly unlikely that the device was stolen by a patient or member of the public, the most probably explanation being the devices was simply misplaced.
Limited Protected Health Information Exposed
The recordings were made between Sept. 18, 2014, and June 3, 2015 and involved brief conversations between physicians’ offices and hospital emergency departments. During these conversations a limited amount of Protected Health Information (PHI) of patients mentioned, but that information did not include financial information, insurance details or Social Security numbers. Individuals were typically referred to by age and gender, and some information was passed over regarding patients’ health. Patient names were mentioned in some conversations.
Due to the nature of data “exposed” the risk of identity theft or other harm is perceived to be low. As such, aside from issuing breach notification letters to affected patients, the hospital deemed no further actions were necessary to mitigate damage. However, the matter is being taken very seriously and policies are being updated to ensure similar incidents are prevented from happening in the future.
Wakulchik said, “To prevent similar incidents, we have taken steps to ensure all mobile devices are encrypted and we no longer store transport voice recordings on mobile devices.”
The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights, and breach notification letters are being sent to all affected patients.
As Akron Children’s Hospital staff discovered, even when electronic PHI is secured with robust physical protections, there is no guarantee that a data breach will not still be suffered.
HIPAA Rules on Stored PHI
The HIPAA Security Rule calls for physical, administrative, and technical safeguards to be put in place to keep patient health data and personal information secure. Backup storage devices can be secured in locked facilities; however administrative protections must also be put in place to reduce the risk of privacy breaches. Inventories of devices must be diligently maintained, equipment should be signed in and out, and tight control must be kept on all equipment used to store PHI.
Data encryption is not a mandatory technical safeguard under HIPAA, but it is one of the most effective ways to stop data breaches from occurring.
Data encryption ensures that even if a device is lost or stolen, the data contained on the device will be indecipherable and the privacy of patients protected. The loss of an encrypted devices should be reported to law enforcement, but patients would not need to be informed and neither would the OCR.
In recent weeks there have been a number of lost and stolen devices reported: Thumb drives have been misplaced, properties have been burgled, and laptops have been stolen from physician’s cars. In all of these cases, data encryption would have prevented a data breach if encryption as well as the considerable breach response costs.