Unencrypted Device Theft Continues to Plague HIPAA CEs

Device theft continues to expose the PHI of healthcare patients, and the past three months have seen a high volume of security incidents reported to the Office for Civil Rights which have involved the loss and theft of portable devices used to store the confidential Protected Health Information (PHI) of patients.

The latest case involves Johns Hopkins Medicine, where the theft of an unencrypted laptop computer has exposed the PHI of 571 patients and 267 research subjects.

Johns Hopkins Hospital Data Breach


A physician from Johns Hopkins Medicine is reported to have had a suitcase stolen at an airport on August 10, 2015. In that suitcase was the physician’s laptop computer, which contained a limited amount of data relating to patients and research subjects. The laptop was unencrypted, therefore the theft potentially exposed the PHI of a number of individuals, although it is probable that the theft was an opportunistic crime, rather than the physician being targeted by a thief seeking medical data and Social Security numbers.

In this case, the laptop did not contain highly sensitive information such as Social Security numbers and financial information, although patients did have a limited amount of their PHI exposed. The data stored on the laptop related to 571 patients who had received treatment for cancer between 2006 and 2014. Data relating to a research study on a rare genetic disorder were also potentially exposed.

Patient data included names, treatment dates, physicians’ names, medical record numbers and a one to 3- word diagnosis of their condition.  Patients who had participated in the research study had slightly more data exposed, including their names, dates of birth, addresses, study identification numbers, referring physicians’ names, comments and technical descriptions of their condition.

According to the breach notice issued by the healthcare provider, it is hospital policy to encrypt and password protect all laptop computers to prevent the accidental disclosure of patient PHI, although in this case the laptop had not been encrypted. It is not clear whether the device was protected with a password.

Policies can be put in place to protect patient privacy, but those policies must be put into procedures that are strictly followed. In response to this incident, Johns Hopkins is taking steps to address the matter and ensure that all laptop computers used by its physicians have their data encrypted to prevent future breaches of patient PHI.

All patients affected by the breach have now been notified of the potential exposure of their PHI in accordance with HIPAA Rules.

UPDATE: November, 5. 2015

According to a recent report posted in the Baltimore Business Journal, the missing computer has now been returned to Johns Hopkins Hospital. An forensic analysis is now being conducted to determine whether any PHI was viewed during the period that the device was missing. The analysis will be conducted by an independent security expert.

Device Theft Exposes the PHI of Individuals


The Department of Health and Human Services’ Office for Civil Rights receives notices of security incidents every few days. The self-reported PHI breaches are submitted by HIPAA covered entities and are posted on what is often referred to as the OCR “Wall of Shame.” The breach reporting portal lists numerous security breaches that arguably could not have been prevented, even with the best possible security controls. However, a high percentage of security incidents have resulted from negligence, either that of individual members of staff or as a result of policy and procedural failures.

Over the past three months, numerous cases of laptop and portable device theft and loss have been reported by HIPAA-covered entities. In total, 20 separate incidents have been reported which involved the exposure of more than 500 patient records. Since covered entities have 60 days to report data breaches, it is likely that other cases have yet to be listed.

All of these data breaches fall under the category of “preventable”. Had data encryption policies been in place, and those policies strictly enforced, the exposure of patient PHI could have been avoided.

Theft and Loss of PHI-Containing Portable Devices by HIPAA-Covered Entities Since July 1, 2015

HIPAA Covered Entity Individuals Affected
Empi Inc and DJ 160,000
North East Medical Services 69,246
Louisiana State University Health Sciences 14,500
The McLean Hospital Corporation 12,673
University of Oklahoma Department of Urology 9,300
Orlantino Dyoco, M.D. 9,000
University of Oklahoma Dept. Obs/Gyn 7,693
Children’s Hospital Medical Center of Akron 7,664
Sunquest Information Systems 2,100
Lawrence General Hospital 2,071
Max M Bayard MD 2,000
Minneapolis Clinic of Neurology 1,450
University of California at Los Angeles 1,242
Lancaster Cardiology Medical Group 1,200
Sentara Healthcare 1,040
Barrington Orthopedic Specialists, Ltd 1,009
OhioHealth 1,006
Baylor College of Medicine 1,004
The Johns Hopkins Hospital 838
Maricopa Special Health Care District 633

Source: OCR HIPAA Breach Reporting Portal

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.