HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Inspira Health Network Alerts 1,411 Patients of Potential HIPAA Breach

The theft of two personal computers from Inspira Health Network’s Vineland Medical Center in December 2013 has potentially exposed health data of 1,411 New Jersey patients. All affected individuals are in the process of being notified that some of their data has potentially been compromised, although the risk to individuals is considered to be low.

In December, 2013, a former employee at the Vineland center took two computers from storage facilities in the center’s radiology department. The filing room where the computers were being stored was unlocked and unsecured. Christopher McCourt of Port Norris took the computers and sold them to a local recycling center.

The computers, reportedly worth $2,800 each, were sold for just $14. According to a Vineland Police Department statement, McCourt committed the crime to obtain gas money. This was not the first time McCourt had taken a computer. He also admitted to another theft, although the incident had gone unreported. McCourt has now been charged with burglary and theft and is being held in Cumberland County Jail.

Inspira Health was able to recover the computers and has reported that no patient data was compromised as the computers did not contain any hard drives. While this is good news for its patients, it has since emerged that the hard drives had been disposed of prior to the sale of the computers and the whereabouts of those hard drives is currently unknown.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Inspira took the decision to notify 1,411 of its patients that their data may have been compromised after an investigation determined that some health information could have been stored on the hard drives. Inspira was unable to determine if this was definitely the case, although an analysis of a similar computer revealed that limited patient data could have been exposed which included X-rays, dates of the provision of medical services, patient’s names, addresses, dates of birth and some Social Security numbers.

According to a statement from Inspira Healthcare, “any patient information potentially stored on the computer would have been very difficult to access due to the digital security systems used by the health network.”

Breach notification letters were sent to patients as a precautionary measure and all individuals affected have been offered a year of free credit monitoring services. They have also been advised to closely monitor their credit reports for any sign or fraudulent activity.

The data breach was swiftly identified and resolved, and the threat of identity/medical theft is low. However, the incident raises a number of questions about security at the hospital; such as how an employee was able to walk out of the facilities carrying two PCs without being noticed and why the computers were stored in an unlocked room.

HIPAA requires all covered entities to implement the appropriate technical, administrative and physical safeguards to protect patient data and failing to secure the storage room suggests there has been a violation of HIPAA Privacy and Security Rules.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.