HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Back Up Drive Stolen: PHI of 1,291 Patients Exposed

The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed.

The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23, 2017 following a break-in at Local 693 offices the day before.

An investigation revealed the device contained names, telephone numbers, addresses and Social Security numbers of current and former Plumbers & Pipefitters Local 693 Benefit Funds recipients and members of the Plumbers & Pipefitters Local 693 union.

The theft has been reported to law enforcement, the Vermont attorney general and the Department of Health and Human Services Office for Civil Rights. While the data on the device could potentially be accessed by unauthorized individuals, an independent information technology consultant who was retained to conduct an investigation believes the probability of data on the device being accessed and used inappropriately is “very low”.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

To date, Local 693 has not received any reports to suggest data have been misused, although affected individuals have been advised to remain vigilant for abuse of their protected health information and identity theft.

This is the second incident to be reported to OCR in the past few days that has involved the theft of a device used to store backup data. Last week, Denton Heart Group discovered a backup device had been stolen from a locked facility. That incident resulted in 7 years of backup data being stolen.

These incidents show that even when physical devices are stored in secure locations, there is still potential for the devices to be stolen. However, by encrypting stored data, privacy breaches such as this can be prevented.

In response to this incident, Local 693 has taken the decision to switch to a more secure form of storage for backup data. Data will now be stored securely in the cloud and all back up data will now be encrypted.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.