Stolen Laptop Exposes 57K Patients Records in HIPAA Security Breach

Healthcare organizations can take the necessary measures to protect their computer networks from targeted attacks by hackers; however one of the biggest risks to data security comes from mobile devices such as laptop computers, Smartphones and portable storage devices such as external hard drives and memory sticks.

Laptops and other mobile devices have become as essential in the healthcare industry as they have become to modern life. Physicians and healthcare professionals can improve the service provided to patients and they allow doctors access to full patient medical histories, where ever the doctor needs to perform the consultation.

As useful as they are, great care must be taken to keep the devices secure. Data encryption is the obvious solution along with training the staff on HIPAA regulations and the importance of securing the contained on the portable electronic devices. Failure to secure PHI data is a HIPAA violation and thefts of laptops containing unencrypted data is reportable to the Office of Civil Rights and is likely to result in substantial financial penalties being applied.

Thieves Gain Access to 57,000 Patient Records

The latest HIPAA security breach involving the mass disclosure of Personal Health Information involves Lucile Packard Children´s Hospital in Palo Alto, California.

Thieves broke into the car of a physician working for the hospital and stole the laptop computer which contained the data from 57,000 patients who had been treated at an academic medical center operated by Stanford University. There was no indication that the laptop was stolen for the data it contained, although those records have potentially been viewed by the thieves and the data may have been sold on.

The breach was reported by Stanford University on 21st January, announcing that the data contained some Social Security numbers, medical record numbers, contact information and the dates of birth of patients who had received treatment at the hospital. Unspecified “sensitive data” relating to patients who had visited the hospital for treatment in 2009 was also present in the database. The theft was reported to the authorities who are now investigating the crime.

Following on from the theft, the hospital has announced that it will be revising its data security policies and procedures to ensure that a similar incident does not occur again. The measures being undertaken are understood to involve staff training sessions and the encryption of patient PHI to ensure that should a device be lost or stolen again, the data will remain safe.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.