HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OhioHealth Reports Loss of Flash Drive Containing 1,006 Protected Health Records

A flash drive containing the Protected Health Information of 1,006 patients has been declared missing by OhioHealth Riverside Methodist Hospital.

The data stored on the portable storage device related to valve-replacement candidates and research subjects who had taken part in value replacement projects between July, 2010 and December, 2014. The data stored on the portable storage device included patient names, addresses, dates of birth, physician names, medical record numbers, insurance information, types of medical procedures performed and treatment dates. 30 Social Security numbers have also potentially been exposed.

It is not clear exactly when the flash drive went missing, although the hospital system was able to determine the device was last used on April 14, 2015 in the heart and vascular department; an area inaccessible to the general public. On May, 29 the drive was declared missing.

On Friday last week, OhioHealth issued a press release announcing the possible breach. Notification letters were also sent to the affected individuals to alert them to the possibility that their data was exposed, although according to Mark Hopkins, a spokesman for the healthcare provider, the unencrypted drive is not believed to have been stolen.

Please see the HIPAA Journal Privacy Policy

Efforts have been made to locate the device, but in the two months since the drive was discovered to be missing it has not been located, hence the breach notice.

A notice on the healthcare provider’s website says “OhioHealth is deeply committed to the sacred trust that we hold in providing quality care to our patients and families, including as it relates to the protection of their confidentiality.” The statement also included an apology: “We sincerely apologize and regret that this incident has occurred.”

In order to prevent similar incidents from occurring in the future, OhioHealth will be providing staff with additional training sessions on data privacy and security; and as an additional precaution, the use of flash drives is no longer permitted in the heart and vascular department.

Flash drives are small; typically less than two inches in length. As such they can easily be misplaced, lost or stolen. Because of the high risk of loss and theft, any sensitive data stored on the devices should be encrypted.

OhioHealth has announced that it will now be taking this additional precaution, and will start encrypting all flash drives used by staff in its central Ohio hospitals, followed by the healthcare provider’s hospitals in Athens, Mansfield and Shelby. Data encryption should be completed by the end of this week in central locations and the remaining flash drives will be encrypted during the next 45 days.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.