HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

St. Luke’s Cornwall Hospital Notifies 29K Patients of Data Exposure

St. Luke’s Cornwall Hospital has issued a media announcement providing further information on the 29,156-record data breach that occurred on October 31, 2015. The hospital has explained that the breach occurred when an unidentified individual entered a restricted area of the hospital and stole a thumb drive containing a limited amount of patient data.

The device was unencrypted and contained patient names, medical record numbers, details of imaging services provided, and the dates of patient visits. Some administration information was also stored on the thumb drive, although no financial information, insurance details, health information, or Social Security numbers were compromised.

While the incident was discovered quickly, the hospital had to conduct an investigation to determine the exact data that were stored on the thumb drive and which patients were affected. The investigation has now been completed and patients have been notified by mail of the breach of their protected health information. The Department of Health and Human Services’ Office for Civil Rights was informed of the data breach on December 30, 2015.

Although only limited patient data were exposed and the risk of individuals suffering identify theft or financial losses as a result of the breach is relatively low, out of an abundance of caution St. Luke’s Cornwall Hospital is providing affected patients with identity theft recovery services for 12 months without charge.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The security breach has prompted St. Luke’s Cornwall Hospital to revise its policies on data encryption. All USB drives used by the hospital will now require a password to access data, and the devices will also have patient data encrypted.

The use of thumb drives and other portable storage devices carries a data security risk as they can all too easily be lost or stolen. To reduce the risk of further security incidents of this nature, St. Luke’s will be implementing IT systems that allow data access without the use of thumb drives.

OCR Takes Action over Portable Device Theft


Office for Civil Rights has been cracking down on HIPAA-covered entities that have suffered data breaches as a result of portable storage devices being lost or stolen. A number of settlements have been reached with organizations for potential HIPAA violations that led to the loss of portable devices and the exposure of ePHI.

Covered Entity Breach Type Records Exposed Date Settlement Amount
Cancer Care Group, P.C. Theft of Laptop/Unencrypted Backup Media 55,000 September, 2015 $750,000
St. Elizabeth Medical Center Theft of Flash Drive 595 July, 2015 $218,400
Adult & Pediatric Dermatology, P.C. Theft of Flash Drive 2,200 December, 2013 $150,000
Alaska DHSS Theft of USB Hard Drive 2,000 June, 2012 $1,700,000

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.