HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Flash Drives Go Missing from Lancaster County EMS

Sometimes even the best protections are not enough, as Lancaster County, EMS, S.C discovered when a safe used to store unencrypted flash drives securely was discovered to have gone missing. A thorough search of the building was organized but the safe, along with its contents, were nowhere to be found.

County officials have stated that they have no reason to believe that the information has been used inappropriately but there is a risk that the safe has been opened and the contents – two flash drives and two computer hard drives – may have been accessed.

The information contained on the devices included names, home addresses, dates of birth and Social Security numbers. It is highly probable that the data also included details of the patient’s health status and injuries, since the information related to patients collected by the county’s ambulances.

While the total number of records has not been disclosed, the data covers a period of 10 years between 2004 and 2014. A WSOC news report indicates that last year alone the EMS dealt with 13,000 individual transports. It is therefore probable that close to 100,000 records could be potentially in the hands of thieves.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Once the potential theft was discovered, South Carolina Law Enforcement Division (SLED) was alerted and an investigation is ongoing but the safe has not been recovered, and neither have the missing drives.

The safe was stored in an unmarked closet in the basement of the Lancaster County building. When the closet was cleared out in April, the safe was discovered to be missing. It is not known when the safe was stolen and how long the thieves have had to open it and check its contents. The door did have a lock; whether that room was locked at all times is not known.

In accordance with HIPAA regulations, a breach notice has been posted on the company website and the media has been alerted. Lancaster County EMS is also in the process of sending breach notification letters to all affected individuals.

Patients have been informed about the nature of the data breach and the steps being taken to prevent future breaches. According to the letter, “To help prevent something like this from happening again, we will be using encrypted devices for storing EMS information.”

To address to potential risk of identity fraud, breach victims are being offered credit monitoring and protection services without charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.