PHI of 660 Eastern Maine Medical Center Patients Exposed

Eastern Maine Medical Center is notifying 660 patients that some of their protected health information has been exposed. The sensitive information was stored on a portable hard drive that has gone missing from its State Street facility, in Bangor, ME.

The device lacked encryption and data on the device could be accessed without the need for a password. Theft has not been confirmed, but the device could not be located during a search of its facility. The drive was last seen in its usual place on December 19, 2017 and was noticed to be missing on December 22.

The device belonged to a business associate of Eastern Maine Medical Center and contained limited patient information. No Social Security numbers, financial information, or health insurance details were present on the device, only full names, birth dates, dates of service, medical record numbers, one-word condition descriptors, and procedural images.

The patients impacted by the breach had visited the medical center for cardiac ablation procedures between January 3, 2011 and December 11, 2017. Not all patients who visited the medical center for those procedures were affected. Some patients had their data stored elsewhere.

The potential theft has been reported to law enforcement and investigations into the circumstances surrounding the loss/theft of the hard drive are continuing. A comprehensive search of the facility was conducted although the device has now been officially declared lost and patients are now being notified of the breach by mail.

The delay in issuing breach notification letters was due to the time taken to search the facility and discover which patients’ PHI was stored on the device.

Even though the types of information required to commit identity theft were not exposed, all patients impacted by the incident have been offered complimentary identity theft monitoring and protection services for 12 months out of “an abundance of caution”.

Donna Russell-Cook, Eastern Maine Medical Center president, said “We take our commitment to uphold our patients’ privacy very seriously and are reviewing our processes to strengthen data security.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.