HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lack of Encryption on Hard Drive Results in the Exposure of 9387 Patients’ PHI

Framingham, MA-based Charles River Medical Associates has discovered the danger of failing to use encryption to protect data stored on portable hard drives.

In late November, the practice discovered one of its portable hard drives was missing. The device contained x-ray images, names, patient ID numbers, and birth dates. Every patient who had visited the Framingham radiology lab for a bone density scan since 2010 had their x-ray images exposed – almost 9,400 individuals.

The hard drive was used by the practice as a backup device and updated the stored data each month with bone density scans from the past four weeks. The last time the device was used was for the October data backup. In late November, when the monthly backup was scheduled to be made, the portable drive could not be found.

A full search of the premises was conducted, which took several weeks, but the device could not be located. All staff members were questioned about the whereabouts of the drive, but no one had seen the device in the past four weeks.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Charles River Medical Associates has now declared the device lost and the search has been called off. Brian Parillo, executive director of Charles River Medical Associates said, “It’s hard to speculate on what could have happened to it.”

The loss of any device containing unencrypted protected health information is a reportable incident under HIPAA Rules and patients must be notified of the potential breach of their information. In compliance with HIPAA Rules, the incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and patients have been informed of the breach by mail.

While the drive is believed to have been lost rather than stolen, it is possible that the device has been found and the information stored on the drive viewed by unauthorized individuals. Patients have therefore been advised to take steps to guard against any negative impact from the incident, including obtaining credit reports and checking their credit accounts for any sign of fraudulent activity.

However, since no Social Security numbers, financial information, or health insurance details were stored on the device, the potential for identity theft and fraud is low.

As a result of the incident, the decision has been taken to stop using unencrypted portable drives to store backups. A full security review has also been conducted to identify other potential vulnerabilities to the confidentiality, integrity, and availability of PHI, a review of hardware has been conducted, and staff have been retrained on privacy workflows.

The breach report submitted to OCR indicates 9,387 patients have been impacted by the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.