Share this article on:
Indiana University Health’s Arnett Hospital has alerted 29,324 patients about the potential exposure of their Protected Health Information after an unencrypted flash drive disappeared from its emergency department.
The flash drive was discovered to be missing on November 20, 2015, and an investigation was immediately launched. Efforts are continuing to try to locate the missing flash drive, which was lost in an area of the hospital not accessible to the public. Consequently, hospital officials do not believe patient data have been acquired or viewed by an external third party.
IU Health Arnett Hospital started sending breach notification letters to affected patients last week to inform them that some of their PHI has potentially been compromised. However, no reports of inappropriate use of the data have so far been received by the hospital.
The flash drive was not used to store Social Security numbers, financial information, or credit card numbers, although spreadsheets saved on the device included patient names, medical record numbers, dates of birth, and medical diagnoses.
Norma Gilbert, director of quality and clinical excellence for IU Health Arnett, issued a statement confirming “Patient medical record information is kept on a secure server… This is not the standard method of storing patient data.”
As a result of the security breach IU Health Arnett will be reviewing its security policies and will take steps to reduce the probability of incidents such as this from occurring again in the future.
A Bad Start to 2016 After ‘The Year of the Healthcare Data Breach’
2015 was a bad year for the healthcare industry. Well over twice the number of healthcare records were exposed in the past 12 months than were exposed between 2009 and the end of 2014.
The Indiana University Health security incident is the largest suffered since OH Muhlenberg’s reported its 84,681-patient record hacking incident in November, 2015.
The latest security incident is the ninth largest to be suffered by a HIPAA-covered entity in the past 6 months, with only the security incidents at Molina Healthcare, OH Muhlenberg, Excellus Health Plan, Empi Inc, North East Medical Services, Medical Informatics Engineering, UCLA Health and Lancaster County EMS having exposed more records.
OCR Fines for Loss and Theft of Unencrypted Portable Storage Devices
Portable devices used to store healthcare data can be easily misplaced, lost, or stolen. It is therefore essential that data stored on the devices are encrypted. Failure to use encryption on portable devices can easily result in an OCR HIPAA breach fine.
In November 2015, Lahey Hospital and Medical Center settled with OCR for $850,000 after a laptop computer was stolen, exposing the records of 599 patients.
Alaska Department of Health and Human Services settled with OCR for $1.7 million last year after a portable electronic storage device was stolen from the vehicle of a DHHS employee.
In 2014, Stanford Hospital & Clinics agreed to a $4.1 million settlement after 1 million records were exposed when two laptop computers were stolen, and a $1.7 million fine was paid by Concentra Health Services after an unencrypted laptop computer was stolen.
With OCR fines being increasingly issued following data breaches and state Attorneys general also penalizing healthcare providers for data exposures, now is a good time for HIPAA-covered entities to review their data encryption policies.