HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted

Another healthcare provider has announced that an unencrypted device used to store electronic protected health information of patients has been stolen.

The medical data of 2,200 patients of Louisiana State University Health New Orleans were stored on a portable hard drive that was stolen from the Department of Neurology Research in March.

The theft occurred on or around March 6 and was immediately reported to law enforcement. A suspect was arrested the following day, although the hard drive has not been recovered. Officials do not believe any data on the drive have been misused, although the possibility that ePHI has been viewed cannot be ruled out.

LSU Health New Orleans has reconstructed the data on the drive and is notifying affected individuals. The drive contained research data relating to individuals who participated in studies between 1998 and 2009.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

No Social Security numbers or financial information have been compromised, with the data breach limited to names, dates of birth, diagnosis codes and treatment codes.

This is not the first time that an incident such as this has resulted in the exposure of patients protected health information. In 2015, a faculty member of the LSU Health New Orleans School of Medicine had a laptop computer stolen from his vehicle. The device contained a wide range of protected health information of approximately 5,000 minor patients. Following that breach, information security policies and procedures were reviewed to determine whether improvements could be made to reduce the risk of future breaches.

LSU Health New Orleans does now have information technology policies in place that require safeguards to be implemented on mobile devices to reduce the risk of data exposure in the event that devices are lost or stolen. Those policies do include the use of encryption; however, in this case, those policies were not followed.

According to a statement issued by LSU Health New Orleans, the lack of encryption on the device has resulted in ‘appropriate remedial action’ being taken.

Data security policies will now be updated and included in training programs to prevent similar incidents from occurring in the future. Affected patients are being offered one year of credit monitoring services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.