Share this article on:
Sentara Heart Hospital has notified 1,040 patients that some of their Protected Health Information (PHI) has potentially been exposed to criminals, after two unencrypted portable hard drives were stolen from Sentara Heart Hospital’s electrophysiology labs in Norfolk, VA. The theft occurred at some point over the weekend of August 14.
The data breach affects patients who had electrophysiology procedures performed at the hospital between Sept. 4, 2014 and Aug. 14, 2015. The portable devices were stolen from an area of the hospital which is usually only accessible to patients and members of staff.
It is not clear whether a member of staff, patient, or member of the public took the devices, although Sentara’s Risk Management team did conduct a full internal investigation into the security breach. That investigation included conducting interviews with members of staff assigned to work at the hospital over the weekend in question. The internal investigation did not result in the recovery of the devices, and the investigation was closed on September 29. The Norfolk Police Department was also alerted to the theft.
The data potentially exposed was limited in nature. Patient names, dates of birth, ID numbers, procedure dates, allergy information, treating physician, staff names, and medications prescribed as part of the procedures performed were all potentially exposed. A limited amount of clinical information was also stored on the devices. No health data other than doctors’ notes – which only related to the procedures performed – were compromised in the security breach. Highly sensitive data such as Social Security numbers, financial information, insurance ID numbers and other data commonly used to commit fraud were not compromised in the security incident.
The theft is believed to have been committed by an opportunistic thief rather than a person seeking the data stored on the devices. The risk of identity theft or fraud is therefore understood to be low. According to the breach notice issued by Sentara, the clinical data and personally identifiable information exposed “is so limited it does not facilitate fraud.”
Consequently patients are not being offered credit monitoring services, although a free credit report can be obtained from each of the three credit reporting companies – Experian, Equifax and TransUnion – should patients be worried about identity theft and fraud.
The healthcare provider has made changes to internal policies and procedures to prevent future security breaches from occurring and has treated the incident very seriously. Access to the area where portable electronic equipment has now been further restricted and all portable storage devices are being kept in locked drawers at all times, with the leys to those drawers only held by hospital managers. When required, the devices can be connected to staff laptop computers using cables, without the devices being removed from the drawers.