Share this article on:
St. Luke’s Cornwall Hospital has issued a media announcement providing further information on the 29,156-record data breach that occurred on October 31, 2015. The hospital has explained that the breach occurred when an unidentified individual entered a restricted area of the hospital and stole a thumb drive containing a limited amount of patient data.
The device was unencrypted and contained patient names, medical record numbers, details of imaging services provided, and the dates of patient visits. Some administration information was also stored on the thumb drive, although no financial information, insurance details, health information, or Social Security numbers were compromised.
While the incident was discovered quickly, the hospital had to conduct an investigation to determine the exact data that were stored on the thumb drive and which patients were affected. The investigation has now been completed and patients have been notified by mail of the breach of their protected health information. The Department of Health and Human Services’ Office for Civil Rights was informed of the data breach on December 30, 2015.
Although only limited patient data were exposed and the risk of individuals suffering identify theft or financial losses as a result of the breach is relatively low, out of an abundance of caution St. Luke’s Cornwall Hospital is providing affected patients with identity theft recovery services for 12 months without charge.
The security breach has prompted St. Luke’s Cornwall Hospital to revise its policies on data encryption. All USB drives used by the hospital will now require a password to access data, and the devices will also have patient data encrypted.
The use of thumb drives and other portable storage devices carries a data security risk as they can all too easily be lost or stolen. To reduce the risk of further security incidents of this nature, St. Luke’s will be implementing IT systems that allow data access without the use of thumb drives.
OCR Takes Action over Portable Device Theft
Office for Civil Rights has been cracking down on HIPAA-covered entities that have suffered data breaches as a result of portable storage devices being lost or stolen. A number of settlements have been reached with organizations for potential HIPAA violations that led to the loss of portable devices and the exposure of ePHI.
|Covered Entity||Breach Type||Records Exposed||Date||Settlement Amount|
|Cancer Care Group, P.C.||Theft of Laptop/Unencrypted Backup Media||55,000||September, 2015||$750,000|
|St. Elizabeth Medical Center||Theft of Flash Drive||595||July, 2015||$218,400|
|Adult & Pediatric Dermatology, P.C.||Theft of Flash Drive||2,200||December, 2013||$150,000|
|Alaska DHSS||Theft of USB Hard Drive||2,000||June, 2012||$1,700,000|