Share this article on:
Lawrence General Hospital, Mass. has reported a missing thumb drive containing the Protected Health Information (PHI) of 2,071 individuals. The drive was last used on June 6, 2015, but it has not been seen since. The thumb drive was noticed as being missing on June 9, 2015.
In a recent press release announcing the potential loss of the drive, the hospital confirmed that the portable storage device contained only a limited amount of data, including the names of patients, lab testing codes, some lab testing information and slide identification numbers. Since no Social Security numbers, dates of birth, financial information or insurance details were stored on the device, the risk to patients is understood to be low.
The announcement regarding the potential data exposure was posted on the company website on August 7, 2015, with the OCR notified on August 5. Breach notification letters have now been sent to all patients concerned.
Employee Carelessness Raises Awareness of Thumb Drive Security
This is the second time a thumb drive has been reported missing by a healthcare provider in just a few weeks. Ohio Health reported a missing a thumb drive containing the PHI of 1,111 individuals in July, and The McClean Hospital Corporation also lost portable storage devices; in that case, backup tapes; potentially exposing 12,673 records. In May, Roper St. Francis Hospital lost a flash drive containing protected data of 360 patients. In all of these cases, the data stored on the devices was unencrypted.
Even if flash drives are lost inside a facility, or are believed to have been misplaced, the Department of Health and Human Services’ Office for Civil Rights (OCR) requires a breach report to be sent within 60 days of the discovery that a device is missing. Breach notification letters must also be sent to patients. Failure to adhere to these rules is likely to result in a settlement with the OCR; however so too can the failure to encrypt data on flash drives.
The OCR has previously taken action against HIPAA-covered entities that have failed to encrypt data on flash drives. In December, 2013, Adult & Pediatric Dermatology settled with the OCR for $150,000 after an unencrypted flash drive containing PHI was stolen. The drive contained the data of 2,200 individuals. The company also failed to execute a timely breach response.
Ohio Health announced it would be encrypting all portable devices following its potential data breach, although no mention was made of encryption in the breach notice issued by Lawrence General Hospital. It did confirm that the staff is to be retrained on “the importance of handling patient health information securely.”