Share this article on:
The theft of two personal computers from Inspira Health Network’s Vineland Medical Center in December 2013 has potentially exposed health data of 1,411 New Jersey patients. All affected individuals are in the process of being notified that some of their data has potentially been compromised, although the risk to individuals is considered to be low.
In December, 2013, a former employee at the Vineland center took two computers from storage facilities in the center’s radiology department. The filing room where the computers were being stored was unlocked and unsecured. Christopher McCourt of Port Norris took the computers and sold them to a local recycling center.
The computers, reportedly worth $2,800 each, were sold for just $14. According to a Vineland Police Department statement, McCourt committed the crime to obtain gas money. This was not the first time McCourt had taken a computer. He also admitted to another theft, although the incident had gone unreported. McCourt has now been charged with burglary and theft and is being held in Cumberland County Jail.
Inspira Health was able to recover the computers and has reported that no patient data was compromised as the computers did not contain any hard drives. While this is good news for its patients, it has since emerged that the hard drives had been disposed of prior to the sale of the computers and the whereabouts of those hard drives is currently unknown.
Inspira took the decision to notify 1,411 of its patients that their data may have been compromised after an investigation determined that some health information could have been stored on the hard drives. Inspira was unable to determine if this was definitely the case, although an analysis of a similar computer revealed that limited patient data could have been exposed which included X-rays, dates of the provision of medical services, patient’s names, addresses, dates of birth and some Social Security numbers.
According to a statement from Inspira Healthcare, “any patient information potentially stored on the computer would have been very difficult to access due to the digital security systems used by the health network.”
Breach notification letters were sent to patients as a precautionary measure and all individuals affected have been offered a year of free credit monitoring services. They have also been advised to closely monitor their credit reports for any sign or fraudulent activity.
The data breach was swiftly identified and resolved, and the threat of identity/medical theft is low. However, the incident raises a number of questions about security at the hospital; such as how an employee was able to walk out of the facilities carrying two PCs without being noticed and why the computers were stored in an unlocked room.
HIPAA requires all covered entities to implement the appropriate technical, administrative and physical safeguards to protect patient data and failing to secure the storage room suggests there has been a violation of HIPAA Privacy and Security Rules.