HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FHN Memorial Hospital Announces Hard Drive Theft and PHI Exposure

FHN Memorial Hospital in Freeport, IL., has announced that a computer hard drive was stolen from the hospital in December, 2015. Spreadsheets and internal reports were stored on the drive which contained the protected health information of many of its patients.

No medical records were stored on the drive although a considerable amount of PHI was detailed in the reports and spreadsheets. Those data include patients’ name, address, telephone number, ethnicity, date of birth, medical record number, patient encounter number, patient ID number, dates of service, medical diagnoses, details of procedures and examinations performed at the hospital, prescription information, referring physician name, insurance details, and discharge date.

Patients are in the process of being notified of the exposure of their PHI and are being advised of the procedures they can follow to reduce the risk of harm or loss as a result of the data exposure. It is not clear at this stage how many patients have been affected or if credit monitoring and identity theft protection services are to be offered to affected patients.

The hard drive was stolen on December 30, 2015., from an area of the hospital not open to the public. A news release indicates this was the secure private office of an employee of the hospital. The hospital is treating this as a criminal matter and the theft is being investigated by the Freeport Police Department.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The internal investigation into the incident has taken some time to conduct. At first it was unclear which data were stored on the drive, and it was only recently that the hospital determined that patient data had potentially been exposed after examining data backups.

FHN Memorial Hospital has taken a number of steps to reduce the risk of future equipment theft and has enlisted the services of a consulting firm to help improve security at the hospital. Some of the measures being implemented include enhanced network monitoring and computer encryption. Previously encryption policies had only been applied to devices used to store PHI that were used in non-secure areas of the hospital. This will be extended to devices used in secure internal areas not open to the public. FHN will also be carefully monitoring the medical records of all affected patients.

The deadline for reporting breaches of PHI to the Department of Health and Human Services’ Office for Civil Rights has now passed. Details of the number of individuals affected by the breach should therefore appear on the OCRs breach portal in the next few days.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.