Back Up Drive Stolen: PHI of 1,291 Patients Exposed
The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed.
The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23, 2017 following a break-in at Local 693 offices the day before.
An investigation revealed the device contained names, telephone numbers, addresses and Social Security numbers of current and former Plumbers & Pipefitters Local 693 Benefit Funds recipients and members of the Plumbers & Pipefitters Local 693 union.
The theft has been reported to law enforcement, the Vermont attorney general and the Department of Health and Human Services Office for Civil Rights. While the data on the device could potentially be accessed by unauthorized individuals, an independent information technology consultant who was retained to conduct an investigation believes the probability of data on the device being accessed and used inappropriately is “very low”.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
To date, Local 693 has not received any reports to suggest data have been misused, although affected individuals have been advised to remain vigilant for abuse of their protected health information and identity theft.
This is the second incident to be reported to OCR in the past few days that has involved the theft of a device used to store backup data. Last week, Denton Heart Group discovered a backup device had been stolen from a locked facility. That incident resulted in 7 years of backup data being stolen.
These incidents show that even when physical devices are stored in secure locations, there is still potential for the devices to be stolen. However, by encrypting stored data, privacy breaches such as this can be prevented.
In response to this incident, Local 693 has taken the decision to switch to a more secure form of storage for backup data. Data will now be stored securely in the cloud and all back up data will now be encrypted.