Outer Banks Hospital Reports Loss of Two Thumb Drives Containing PHI

Given the ease of transferring data securely using HIPAA-compliant cloud storage services, it is difficult to understand why thumb drives are still being used by healthcare organizations, especially the use of thumb drives without encryption. Due to their small size thumb drives are easy to lose, as has been discovered by North Carolina’s Outer Banks Hospital.

Assets from the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular P.A. had been acquired by Outer Banks Hospital recently. While transferring data from Eastern Carolina Cardiovascular to the Outer Banks Hospital, two thumb drives were lost. The drives contained the protected health information of patients going back 12 years.

The data were transferred between June 20 and June 21 and the thumb drives were discovered to be missing on June 22. An external forensics firm was brought in to conduct an investigation to determine which data were on the missing drives and the patients had been affected.

The investigation revealed that the drives contained names and demographic information, emergency contact telephone numbers, patient account numbers, medical record numbers, Social Security numbers, insurance ID numbers, the names of referring physicians, medical diagnoses, mental health information, and health histories.

Patients affected by the breach had previously received medical services under Eastern Carolina’s OBX Cardiopulmonary Rehabilitation program between 2004 and 2016.

Patients started to be notified of the potential data breach on August 16, although the hospital expects the process to take some time. All patients who have contact information recorded in the system should receive breach notification letters in the next few weeks.

All individuals affected by the security breach have been offered a year of credit monitoring and identity theft restoration services without charge, although no reports of identity theft have been received by the hospital to date.

The hospital has suggested that patients should place a fraud alert on their accounts as an additional precaution against identity theft and fraud. Patients are also being encouraged to keep a close check on their account statements.

The hospital has not released details of how many patients have been impacted by the breach. That will become apparent when the incident is uploaded to the Office for Civil Rights breach portal.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.