Unencrypted Device Theft Continues to Plague HIPAA CEs
Device theft continues to expose the PHI of healthcare patients, and the past three months have seen a high volume of security incidents reported to the Office for Civil Rights which have involved the loss and theft of portable devices used to store the confidential Protected Health Information (PHI) of patients.
The latest case involves Johns Hopkins Medicine, where the theft of an unencrypted laptop computer has exposed the PHI of 571 patients and 267 research subjects.
Johns Hopkins Hospital Data Breach
A physician from Johns Hopkins Medicine is reported to have had a suitcase stolen at an airport on August 10, 2015. In that suitcase was the physician’s laptop computer, which contained a limited amount of data relating to patients and research subjects. The laptop was unencrypted, therefore the theft potentially exposed the PHI of a number of individuals, although it is probable that the theft was an opportunistic crime, rather than the physician being targeted by a thief seeking medical data and Social Security numbers.
In this case, the laptop did not contain highly sensitive information such as Social Security numbers and financial information, although patients did have a limited amount of their PHI exposed. The data stored on the laptop related to 571 patients who had received treatment for cancer between 2006 and 2014. Data relating to a research study on a rare genetic disorder were also potentially exposed.
Patient data included names, treatment dates, physicians’ names, medical record numbers and a one to 3- word diagnosis of their condition. Patients who had participated in the research study had slightly more data exposed, including their names, dates of birth, addresses, study identification numbers, referring physicians’ names, comments and technical descriptions of their condition.
According to the breach notice issued by the healthcare provider, it is hospital policy to encrypt and password protect all laptop computers to prevent the accidental disclosure of patient PHI, although in this case the laptop had not been encrypted. It is not clear whether the device was protected with a password.
Policies can be put in place to protect patient privacy, but those policies must be put into procedures that are strictly followed. In response to this incident, Johns Hopkins is taking steps to address the matter and ensure that all laptop computers used by its physicians have their data encrypted to prevent future breaches of patient PHI.
All patients affected by the breach have now been notified of the potential exposure of their PHI in accordance with HIPAA Rules.
UPDATE: November, 5. 2015
According to a recent report posted in the Baltimore Business Journal, the missing computer has now been returned to Johns Hopkins Hospital. An forensic analysis is now being conducted to determine whether any PHI was viewed during the period that the device was missing. The analysis will be conducted by an independent security expert.
Device Theft Exposes the PHI of Individuals
The Department of Health and Human Services’ Office for Civil Rights receives notices of security incidents every few days. The self-reported PHI breaches are submitted by HIPAA covered entities and are posted on what is often referred to as the OCR “Wall of Shame.” The breach reporting portal lists numerous security breaches that arguably could not have been prevented, even with the best possible security controls. However, a high percentage of security incidents have resulted from negligence, either that of individual members of staff or as a result of policy and procedural failures.
Over the past three months, numerous cases of laptop and portable device theft and loss have been reported by HIPAA-covered entities. In total, 20 separate incidents have been reported which involved the exposure of more than 500 patient records. Since covered entities have 60 days to report data breaches, it is likely that other cases have yet to be listed.
All of these data breaches fall under the category of “preventable”. Had data encryption policies been in place, and those policies strictly enforced, the exposure of patient PHI could have been avoided.
Theft and Loss of PHI-Containing Portable Devices by HIPAA-Covered Entities Since July 1, 2015
| HIPAA Covered Entity | Individuals Affected |
| Empi Inc and DJ | 160,000 |
| North East Medical Services | 69,246 |
| Louisiana State University Health Sciences | 14,500 |
| The McLean Hospital Corporation | 12,673 |
| University of Oklahoma Department of Urology | 9,300 |
| Orlantino Dyoco, M.D. | 9,000 |
| University of Oklahoma Dept. Obs/Gyn | 7,693 |
| Children’s Hospital Medical Center of Akron | 7,664 |
| Sunquest Information Systems | 2,100 |
| Lawrence General Hospital | 2,071 |
| Max M Bayard MD | 2,000 |
| Minneapolis Clinic of Neurology | 1,450 |
| University of California at Los Angeles | 1,242 |
| Lancaster Cardiology Medical Group | 1,200 |
| Sentara Healthcare | 1,040 |
| Barrington Orthopedic Specialists, Ltd | 1,009 |
| OhioHealth | 1,006 |
| Baylor College of Medicine | 1,004 |
| The Johns Hopkins Hospital | 838 |
| Maricopa Special Health Care District | 633 |
Source: OCR HIPAA Breach Reporting Portal