Share this article on:
Boston Children’s Hospital has issued a press release announcing a laptop issued to one of its employees has been lost at a conference in Buenos Aires; potentially exposing the protected health records of 2,159 of its patients.
The laptop had basic security protection and access was secured with a password; however the data contained on the laptop was not encrypted. In accordance with federal law, all patients concerned have been issued with a breach notification by mail advising them of the security breach and detailing the data that could possibly have fallen into the hands of others. They have also been given advice on how they can protect their identities and mitigate any damage caused. The breach notification letters were sent out on May 22, 2012.
In the letter patients were informed that their data was stored in a spreadsheet attached to an email and that the account was password protected. The information contained in the file included names, medical record numbers, diagnosis codes, procedures performed and dates of past surgery. Dates of birth were included, although no financial details such as credit card numbers or Social Security numbers had been disclosed in the incident.
No electronic health records or protected information was stored on the laptop’s hard drive, although the attachment was potentially accessible through the email program at the time the theft occurred. It is therefore possible that the thief or the person in possession of the laptop could have viewed, stored or copied the data. The investigation conducted by the hospital could not confirm whether this was the case, or if the attachment was in fact even accessible at the time of the theft.
Boston Children’s Hospital Senior Vice President for Information Services and its Chief Information Officer advised patients “We take great measures to ensure that Protected Health Information is never inadvertently released, and we are undertaking additional steps to prevent breaches such as this in the future. We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and families.”
HIPAA breaches must be reported to the media and patients need to be advised of any breach that involved their Protected Health Information potentially being exposed to allow them to take step to mitigate damage. The Office for Civil Rights of the Department of Health and Human Services must also be notified of breaches involving the records of more than 500 individuals and it actively investigates the organizations concerned.
If the OCR investigates and discovers the data breach was caused by failures to implement appropriate controls to protect ePHI, as demanded by the Health Insurance Portability and Accountability Act, it can issue substantial financial penalties for each violation.