Share this article on:
Vehicles are clearly not good places to store the Protected Health Information of patients, even temporarily, as another medical professional has recently discovered.
San Francisco psychiatrist, Robert E. Soper M. D., was transporting an old desktop computer that he intended to give to his brother; however, he left the car unattended and during that time it was broken into and the desktop computer was stolen along with other goods from the car.
Although the data on the desktop computer was not encrypted, it was protected by two passwords, making it unlikely that the thieves would be able to access the data. According to the breach notice issued by Dr. Soper, the passwords “were maintained in a format unique to the software used to prepare them. The software program itself was not on the computer, making the data almost impossible to decipher.”
The computer also contained email data which included lab test results and some third party healthcare provider reports on patients, as well as email correspondence between the office and patients. Email data was similarly password protected and it is not believed to have been compromised.
Bad Error of Judgement, but Good Data Security Protections
Under HIPAA Rules, data encryption is not mandatory: It is only an addressable issue. Healthcare providers are permitted to implement other security protections in place of data encryption to prevent patient data from being exposed.
In this case, data encryption was not used to protect the data, but it was protected by multiple layers of security. The data was password protected, and the computer was an Apple device with data security protections set up to erase the contents of the hard disk when the computer is next turned on and connected to the internet. Dr. Soper will also be informed should that prove to be the case, although at this point in time he has yet to receive an alert from Apple.
The decision to leave a device containing electronic Protected Health Information in a vehicle, even temporarily, was a serious error of judgement, but the other protections in place should be sufficient to protect the privacy of the physician’s patient’s.
According to the breach notice issued by Dr. Soper, he promptly took action to mitigate risk. He said, “I promptly reported this crime to the San Francisco Police Department, (report 1561 62776). I also immediately disconnected the computer from any access to our data on the internet and my office.” He went on to say, “I believe this was a crime of opportunity, and have not received any indication that the information has been accessed or used by anyone. Because that data has now been compromised, I owe each of you a personal apology. That is the central purpose of this letter.”
He also said that additional data security measures were being implemented to prevent similar events from occurring in the future.
Patients have not been offered credit monitoring or credit protection services due to the relatively low risk of identity theft, although they have been advised to obtain free credit reports from the three credit agencies, and recommended to monitor their credit and finances closely.
The breach notice does raise one HIPAA-related question. If the desktop computer was due to be given to the psychiatrist’s brother, would the data have been securely erased first?