Share this article on:
A new HIPAA breach has been announced affecting patients of an Oregon healthcare facility although the number of patients to be affected is currently unknown. The incident occurred in November when an employee of the Corvallis Clinic left a laptop computer in a vehicle while attending a work conference. The laptop was subsequently stolen from the car.
The laptop contained unencrypted data of patients who had visited the clinic during the past two years, although the information was in a spreadsheet and the data it contained was limited and included patient names, dates of birth, name of the healthcare provider and the reason for the visit. The spreadsheet is not believed to have contained any Social Security numbers, driver’s license numbers or credit card details.
There is no indication that the thieves have been able to access the data contained in the spreadsheet. The Clinic advised patients that the laptop was protected with a “highly secure” alpha numeric pass code and that it is improbable that the thieves would have been able to access the data.
A notice has been posted on the Corvallis Clinic website notifying patients of the breach and an internal investigation is being conducted. The Department of Health and Human Services will be notified once it can be established how many patients have potentially been affected.
The clinic pointed out that it was issuing the notification much earlier than it was required do to so under federal regulations. This was as an extra precaution and statement that it takes the privacy of its patients seriously. Formal notifications to be sent out to all affected individuals in due course.
The incident demonstrates that even with secure pass codes and staff training, mistakes can be made that can potentially expose data to unauthorized personnel. Healthcare providers must ensure that all staff are made aware of the dangers of leaving mobile devices unattended and instructed never to leave devices in vehicles. Data encryption should also be employed to ensure that in the event of theft, mobile devices remain fully secured and PHI data is kept confidential.
A recent verdict in an Indiana court has allowed a case to be heard holding a healthcare provider liable for the actions of an employee who improperly accessed patient data. This has set a legal precedent and healthcare providers may face heavy fines for accidental exposure of PHI due to employee negligence.