HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lost Backup Drive Contained PHI of More than 500 EEG Patients

Baptist Medical Center South of Jacksonville, Florida, has discovered a backup drive containing the electronic protected health information of 531 patients has gone missing. The portable storage drive was discovered to be missing on May 18, 2017. The device is believed to have been taken from an EEG room.

A full search for the device was conducted but it could not be located. Baptist Medical Center South was unable to determine whether the portable drive had been borrowed by a member of staff and not returned, was misplaced, stolen, or had been accidentally disposed of. Baptist Medical Center South was also unable to determine exactly when the device went missing.

An investigation was conducted which enabled the medical center to determine which data had been backed up on the device. The information stored on the drive was limited to names, dates of birth, physician’s orders, medical record numbers, diagnoses, reasons for study, images taken during EEG tests, and patients’ room numbers. The data related to certain patients who had visited the medical center for EEG testing in 2015, 2016 and 2017. No financial information or Social Security numbers were stored on the device.

The device was not protected with encryption, although patients’ electronic protected health information could only be accessed using special software. If the device was stolen, without specialist software, it would be difficult for the thieves to access any patient information.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

No reports have been received to suggest any information on the device has been accessed or misused, although patients whose protected health information was exposed have now been notified by mail out of an abundance of caution and to satisfy regulatory requirements.

In order to prevent future security incidents of this nature from occurring, Baptist Medical Center South has reinforced and enhanced its security practices and has re-educated all staff that work in the EEG department on HIPAA regulations and specifically physical security requirements.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.