Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO.

The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or contact information were stored on the device. Due to the limited data stored on the device, patients are not believed to be at risk of experiencing identity theft or fraud.

The portable device was stolen from DePaul hospital overnight between April 12 and the morning of April 13, 2017. The theft has been reported to the local police department and an investigation into the incident is ongoing.

The device, which resembles a laptop computer, was part of an electromyography (EMG) medical device. Officials at DePaul hospital believe the device was stolen because it resembles a laptop computer, not for the information stored on the device. No evidence has been uncovered to suggest any data on the device have been misused.

SSM Health has confirmed in a substitute breach notice uploaded to its website that the device was solely used in conjunction with the EMG device and that it is not possible to access patients’ medical records through the device.

Affected individuals had been participating in an electro diagnostic study run by Dr. Syed Khader and had received treatment at the hospital between 2002 and 2017. No other patients of the hospital were affected by the incident.

Patients have been notified of the breach as is required by Health Insurance Portability and Accountability Act (HIPAA) Rules and the Department of Health and Human Services’ Office for Civil Rights has been notified.

Action has already been taken to ensure similar incidents do not occur in the future, including tightening security controls through written procedures and retraining staff on the correct handling of patient information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.