Stanford University Suffers 5th Large HIPAA Security Breach

Stanford University has now suffered its 5th large data breach in four years following the theft of a laptop from the Lucile Packard Children’s Hospital. The latest breach may not be the largest to date – or even the largest to affect the University – but it could potentially see the University having to pay a large settlement to the OCR for failing to secure its patients’ PHI.

The latest security breach involved close to 13,000 patients, with the data that was exposed containing personal identifiers including patient’s names and contact information. The data stored on the stolen laptop also included medical diagnoses, medical record numbers, surgical procedures performed and the names of the treating physicians. No Social Security numbers were present in the data set, although the hospital is still required to notify each of the 13,000 patients affected. Victims of data breaches must be alerted to the possibility that their PHI may be used to enable them to take action to mitigate any damage or losses caused.

The laptop was stolen from a private area of the hospital which required badge access and the laptop was reported as being “an older, non-functioning laptop with a seriously damaged screen” according to a statement issued to Healthcare IT News by a hospital spokesperson.

While the laptop many not have been fully functional, a broken screen does not prevent data from being viewed or accessed. A laptop computer can be connected to an external monitor to view the data stored on its hard drive if the screen is broken or the hard drive could be switched into a fully functional machine.

This is the second major breach to occur this year, with Lucile Packard Children’s Hospital also having reported the theft of a hospital laptop in January which contained PHI of around 57,000 patients. After the January security breach hospital officials stated that they would be “redoubling efforts to ensure that all computers and devices containing medical information are encrypted,” in addition to embarking on a program of HIPAA training and enhanced IT security and compliance education.

Following the laptop theft in January the hospital started encrypting the data stored on its laptop computers; however the data was not encrypted on the stolen laptop as it was deemed to be broken and inoperable. The employee in question who had used the laptop had the data moved to a new device, where it was encrypted.

The latest theft highlights the importance of destroying sensitive data stored on hard drives before they are decommissioned. Even when PC’s, laptops Smartphones and tablets are no longer in use they can still contain sensitive data which could potentially be viewed by unauthorized personnel.

It is therefore essential that healthcare organizations and their business associates implement security policies to ensure that all data is permanently destroyed after use. Hard drives should be securely erased or destroyed in order to prevent any stored data from being accessible once the device in question has been sold on, scrapped or returned to a leasing company.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.