HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sharp Healthcare Says Stolen Devices Contained PHI of Patients

A computer and an external storage drive have been discovered to have been stolen from San Diego-based healthcare provider Sharp Healthcare.

The devices were taken from a locked cabinet in an access-controlled patient treatment area of the Sharp Memorial Outpatient Pavilion in Kearny Mesa in San Diego, CA. It is not known when the devices were taken, although they were discovered to be missing on February 6, 2017.

The devices were used to store the data of patients who had undergone wellness screening as part of blood pressure and cardiac health studies performed at the outpatient center. The types of data stored on the devices includes patients’ full names, ages, dates of birth, medications currently being taken, a summary of the studies that were being performed and family health histories. The devices were not encrypted, so it is possible that the patient health information stored on both devices could be accessed by unauthorized individuals.

An internal investigation was conducted when the devices were discovered to be missing and efforts were made to locate the devices, although the investigation suggested the devices had been stolen. Law enforcement has been notified of the theft, although the equipment has not yet been discovered.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In response to the incident, Sharp Healthcare is reviewing its security practices and will be implementing a number of additional safeguards to prevent further incidents of this nature from occurring.

The Department of Health and Human Services’ Office for Civil Rights and the California Department of Public Health have been notified of the breach. 750 current and former patients are understood to have been impacted by the incident. All patients have already been notified by mail in accordance with Health Insurance Portability and Accountability Act Rules.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.