HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Massachusetts Hospital Reports Missing Unencrypted Thumb Drive

Lawrence General Hospital, Mass. has reported a missing thumb drive containing the Protected Health Information (PHI) of 2,071 individuals. The drive was last used on June 6, 2015, but it has not been seen since. The thumb drive was noticed as being missing on June 9, 2015.

In a recent press release announcing the potential loss of the drive, the hospital confirmed that the portable storage device contained only a limited amount of data, including the names of patients, lab testing codes, some lab testing information and slide identification numbers. Since no Social Security numbers, dates of birth, financial information or insurance details were stored on the device, the risk to patients is understood to be low.

The announcement regarding the potential data exposure was posted on the company website on August 7, 2015, with the OCR notified on August 5. Breach notification letters have now been sent to all patients concerned.

Employee Carelessness Raises Awareness of Thumb Drive Security


This is the second time a thumb drive has been reported missing by a healthcare provider in just a few weeks. Ohio Health reported a missing a thumb drive containing the PHI of 1,111 individuals in July, and The McClean Hospital Corporation also lost portable storage devices; in that case, backup tapes; potentially exposing 12,673 records. In May, Roper St. Francis Hospital lost a flash drive containing protected data of 360 patients. In all of these cases, the data stored on the devices was unencrypted.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Even if flash drives are lost inside a facility, or are believed to have been misplaced, the Department of Health and Human Services’ Office for Civil Rights (OCR) requires a breach report to be sent within 60 days of the discovery that a device is missing. Breach notification letters must also be sent to patients. Failure to adhere to these rules is likely to result in a settlement with the OCR; however so too can the failure to encrypt data on flash drives.

The OCR has previously taken action against HIPAA-covered entities that have failed to encrypt data on flash drives. In December, 2013, Adult & Pediatric Dermatology settled with the OCR for $150,000 after an unencrypted flash drive containing PHI was stolen. The drive contained the data of 2,200 individuals. The company also failed to execute a timely breach response.

Ohio Health announced it would be encrypting all portable devices following its potential data breach, although no mention was made of encryption in the breach notice issued by Lawrence General Hospital. It did confirm that the staff is to be retrained on “the importance of handling patient health information securely.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.