Recent Equipment Thefts Bring Data Encryption Issue to the Forefront

Cybersecurity is a hot topic at board meetings; the healthcare industry is under attack and cybersecurity defenses must be improved. While boards may be preoccupied with the threat from hackers – it is often perceived to be the biggest cause of HIPAA breaches – it is important not to forget about lower-tech attacks. Hackers are breaking through healthcare providers defenses to obtain PHI, but there are easier ways for thieves to obtain data: A fact that has certainly not been overlooked by the criminal fraternity.

Theft of equipment containing Protected Health Information is also a major cause of HIPAA breaches, in spite of affordable technology existing to prevent data disclosure.

Healthcare Providers Must Tackle Device Loss and Theft


The spate of recent thefts reported by healthcare providers and health plans shows that while cybercriminal activity is on the rise, theft of devices containing unencrypted PHI is keeping pace. The risk of HIPAA breaches from the theft and loss of equipment simply cannot be ignored. It is an ever-present threat.

Databreaches jan to April 2015-lk

Current figures may suggest that loss/theft is the major cause of breaches, and alarmingly 40% of healthcare providers do not appear to be using a data encryption service on their portable devices.

May/June Data Breaches Resulting from Theft


Covered Entity Nº Records
Oregon’s Health CO-OP 14000
Fred Finch Youth Center 6871
St. Martin Parish School Based Health Centers 3000
Rite Aid Corporation 2345
Sharon J. Jones, M.D. 1342
Gallant Risk & Insurance Services, Inc. 995
Success 4 Kids & Families, Inc. 506

Don’t Forget the HIPAA Physical Safeguards


Physical controls cover basic security measures to prevent opportunistic theft of records and equipment used to store ePHI. The physical safeguards are detailed in our HIPAA compliance guide in more detail and can be found on the HHS website (here). Some are obvious like keeping record-facilities locked, but it surprising how often simple security measures are ignored or forgotten.

Holders of paper files should keep them in locked filing cabinets and/or in a locked storage room. They should never be on display. Recently the DHHS’ Office of the Inspector General discovered the U.S Coastguard failed to apply most fundamental of security measures.

Security guards may be required if the risk of burglary and data theft is particularly high. The employment of a security guard at the office of Sharon J Jones, M.D, after a double burglary, resulted in the thwarting of a third break-in.

Often simple protections can be overlooked and vulnerabilities missed, and the recent spate of theft reports suggest that basic security measures are lacking at many covered entities’ facilities.

With the OCR HIPAA compliance audit process now having begun, it is a good time to go back to basics and conduct a full risk analysis and to ensure that all potential vulnerabilities are identified.

It is far better to identify vulnerabilities – and take action to correct them – than to have them uncovered by an OCR auditor when the compliance audits recommence.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.