Indiana State Medical Association HIPAA Breach Update

Details have emerged on the Indiana State Medical Association data breach reported in early March.

The Indiana State Medical Association issued a media release in which it confirmed that a data breach was suffered in which approximately 39,000 individuals were exposed, after two back-up hard drives were stolen from an employee’s car.

A report in the Star Press yesterday adds further detail to the story, suggesting the initial report was inaccurate and the breach was not reported promptly. The employee in question has also been disclosed as being the ISMA Information Technology Administrator.

The employee parked his car in a lot for a period of two and a half hours, and during that time a thief broke into the vehicle and stole two computer back up hard drives containing 39,090 medical records. The hard drives are understood to have been left in plain sight inside the vehicle.

The employee did not report the theft until more than 24 hours later. The theft report was filed at 7pm on February 14. The administrator called law enforcement to report the theft and officers were dispatched to meet him at a restaurant where he gave a statement in which he said “he thought he had locked his car but found no damage or marks on it when he discovered the theft.”

This is the largest data breach to occur in Indiana this year, and is certainly one of the more serious data breaches to affect the state in recent years. The hard drives contained names, addresses, dates of birth, Social Security numbers, medical histories, health plan numbers, email addresses and other information supplied on health insurance applications. While specialist software is required to access the data, this would present no problem to a data thief looking to use the records. Healthcare data can fetch up to $60 per record on the black market giving thieves considerable incentive to access the data.

Last week a study was published showing human error to be the main cause of data breaches across American industry as a whole. While theft was the cause of this breach, it is ultimately a case of negligence and the root cause is human error.

Defenses must be improved to prevent external attacks on network servers and email accounts by hackers; however it is also essential to train staff on the rules covering PHI. The HIPAA Security Rule requires covered entities to implement physical controls to secure PHI and leaving portable equipment containing unencrypted data in vehicles is a clear breach of HIPAA regulations.

If covered entities do not provide training and incidents such as this occur, they could face substantial HIPAA violation fines, while employees could potentially face criminal prosecution.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.