HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network.

A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 21,665 individuals were impacted by the breach.

The backup files contained a treasure trove of patient data including names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, insurance provider names and policy numbers, physicians’ names, clinic account numbers, medical diagnoses, lab test results, medications and other clinical data. The backups were made between 2009 and 2016.

The theft was discovered by the medical group on January 11, 2017 although the device was believed to have been stolen on or around December 29, 2017.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All eligible individuals affected by the incident will be offered credit monitoring and identity theft protection services through Experian, although no reports of misuse of the stored data have been received.

To prevent future incidents, Denton Heart Group is re-evaluating the security of computer devices used by its clinics, although it is unclear whether the theft will prompt the medical group to encrypt its backups in the future.

20% of Healthcare Organizations Do Not Use Encryption

Two reports were published last month that showed how the healthcare industry in the United States lags behind other industry sectors when it comes to data encryption.

The 2017 Thales Data Threat Report for the Healthcare Industry indicates only 65% of healthcare organizations in the United States encrypt backup data stored in the cloud. A study by HyTrust indicates 25% of healthcare organizations are using cloud services but are not encrypting cloud data.

Even though healthcare organizations are increasing security budgets, the industry still has one of the lowest data encryption adoption rates. Last year, Sophos conducted a survey that showed only 31% of healthcare organizations were extensively using encryption to protect sensitive data – The lowest percentage of all industries surveyed. Encryption was used to some degree by a further 49% of healthcare organizations, although 20% of surveyed organizations were not using encryption at all. Only the retail sector scored lower with 23% of retailers opting not to use encryption.

The lack of encryption leaves healthcare organizations particularly vulnerable to data breaches. According to OCR figures, since January 1, 2014, there have been 182 hacking incidents reported. Those incidents resulted in the theft/exposure of 125,994,157 healthcare records. There have also been 249 cases of lost or stolen equipment containing PHI. Those incidents impacted 8,902,225 individuals.

Given the extent to which healthcare organizations are now being targeted by cybercriminals and the huge numbers of healthcare records exposed or stolen as a result of hacks and lost and stolen devices, any healthcare organization that is not encrypting PHI is taking a huge risk.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.