25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Lost Backup Drive Contained PHI of More than 500 EEG Patients

Posted By on Jul 10, 2017

Baptist Medical Center South of Jacksonville, Florida, has discovered a backup drive containing the electronic protected health information of 531 patients has gone missing. The portable storage drive was discovered to be missing on May 18, 2017. The device is believed to have been taken from an EEG room.

A full search for the device was conducted but it could not be located. Baptist Medical Center South was unable to determine whether the portable drive had been borrowed by a member of staff and not returned, was misplaced, stolen, or had been accidentally disposed of. Baptist Medical Center South was also unable to determine exactly when the device went missing.

An investigation was conducted which enabled the medical center to determine which data had been backed up on the device. The information stored on the drive was limited to names, dates of birth, physician’s orders, medical record numbers, diagnoses, reasons for study, images taken during EEG tests, and patients’ room numbers. The data related to certain patients who had visited the medical center for EEG testing in 2015, 2016 and 2017. No financial information or Social Security numbers were stored on the device.

The device was not protected with encryption, although patients’ electronic protected health information could only be accessed using special software. If the device was stolen, without specialist software, it would be difficult for the thieves to access any patient information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

No reports have been received to suggest any information on the device has been accessed or misused, although patients whose protected health information was exposed have now been notified by mail out of an abundance of caution and to satisfy regulatory requirements.

In order to prevent future security incidents of this nature from occurring, Baptist Medical Center South has reinforced and enhanced its security practices and has re-educated all staff that work in the EEG department on HIPAA regulations and specifically physical security requirements.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist