Lost Laptop Sees PHI of 3,725 Veterans Exposed

A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing, potentially resulting in the exposure of sensitive patient data.

The laptop was paired with a hematology analyzer and stored data related to hematology tests. The laptop was in use between April 2013 and May 2016, but was decommissioned when the device became unusable. The laptop, which had been supplied by a vendor, was replaced; however, an equipment inventory revealed the device to be missing.

The device should have been returned to the vendor, although the vendor has no record of the laptop ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab determined the device was missing. A full search of the medical center was conducted but the laptop could not be located.

It was not possible to tell exactly what information had been stored on the device, or the exact number of patients whose protected health information may have been exposed. MGVAMC concluded all patients who submitted samples for hematology tests during the dates that the laptop was in use potentially had data exposed.

The types of information stored on the device would have included names, dates of birth, and Social Security numbers according to a statement issued by MGVAMC. 3,275 patients have potentially been impacted and have been notified of the possible breach. Where applicable, patients will be offered credit monitoring and identity theft protection services.

Whenever equipment containing electronic protected health information is decommissioned, HIPAA-covered entities must ensure all data is rendered unreadable, indecipherable, and otherwise cannot be reconstructed.

The physical safeguards stipulated in the HIPAA Security Rule – 45 CFR 164.310(d)(2)(i) – require covered entities to implement policies and procedures to address the final disposition of ePHI and/or the hardware on which it is stored, while 45 CFR 164.310(d)(2)(ii) requires covered entities to implement procedures for the removal of ePHI from electronic media before the media are made available for re-use.

OCR recommends “clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding). If devices are supplied by vendors, the method for clearing the devices prior to decommissioning should be discussed with the vendor and policies developed accordingly.

In response to this incident, the Mann-Grandstaff VA has developed a new policy for sanitizing electronic media prior to disposal, decommissioning, or returning devices to suppliers to prevent further potential breaches of ePHI.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.