Share this article on:
Lifespan has announced a laptop computer has been stolen from the vehicle of one of its employees. A thief stole a number of items from the employee’s car on February 25, 2017, including a MacBook laptop that contained the electronic protected health information of certain Lifespan patients.
An investigation into the incident revealed the laptop was not encrypted, and neither was a password required to gain access to the device. Consequently, ePHI contained in the employee’s email account could potentially have been accessed and viewed.
An analysis of the email account confirmed that no financial information, Social Security numbers, medical records, nor medical diagnoses were exposed, although emails did contain patients’ names, partial addresses, medical record numbers, demographic information and details of prescriptions.
Lifespan took prompt action to secure the email account by changing the employee’s login credentials. While the data stored on the device could have been accessed, the investigation into the incident has not uncovered any evidence to suggest that any information on the device was accessed and no reports have been received to suggest any patient data have been misused.
The incident has prompted Lifespan to conduct a review of the security protections used to safeguard ePHI stored on MacBooks and policies and procedures will be enhanced to prevent future incidents of this nature from resulting in the exposure of patients’ ePHI. Lifespan will also be re-educating its employees on device security.
All patients impacted by the incident were notified of the privacy incident by mail on April 21, 2017. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 20,431 patients were impacted.
The incident underscores the importance of implementing safeguards to ensure ePHI stored on portable devices – or can be accessed using the devices– is protected with appropriate security solutions.
The failure to implement appropriate safeguards can prove costly for healthcare organizations. This week, OCR announced it has agreed to settle potential HIPAA violations with CardioNet, which experienced a similar incident in 2011. In that case, an unencrypted laptop computer was stolen from the vehicle of an employee resulting in the exposure of 1,391 individuals’ ePHI. CardioNet must pay OCR $2.5 million and adopt a corrective action plan to address HIPAA failures that contributed to the breach.