Share this article on:
This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee.
This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week, Lifespan announced that a MacBook had been left in an employee’s vehicle from where it was stolen. The device was not encrypted and neither protected with a password. ePHI was accessible via the employee’s email account. More than 20,000 patients’ ePHI was potentially compromised.
The second incident involved a flash drive rather than a laptop. Western Health Screening (WHS), a Billings, MT-based provider of on-site blood screening services, announced that patients’ names, phone numbers, addresses and some Social Security numbers have been exposed. The data on the drive related to individuals who had undergone blood screening tests between 2008 and 2012.
A WHS employee was on route to a health fair in a WHS-owned vehicle on February 7, 2017 when the vehicle was stolen. The flash drive had been left in the van. In this case, the flash drive was password protected, although WHS determined on February 15, 2017 that encryption had not been used on the device. The theft was reported to law enforcement, but the vehicle and flash drive have not been recovered.
WHS has not received any reports suggesting data on the device have been accessed or used inappropriately, although an impermissible disclosure could not be ruled out. In response to the incident, WHS has taken steps to enhance its procedures relating to the storage of sensitive data on mobile devices and employees have been retrained on safeguarding sensitive information. Individuals affected by the breach have also been offered credit monitoring and identity theft protection services out of an abundance of caution.
The breach report submitted to OCR indicates 15, 326 individuals were impacted by the incident.
The CardioNet, Lifespan, and WHS breaches could all have been prevented if encryption had been used. If an encrypted device is lost or stolen, the incident does not need to be reported to OCR, patients do not need to be notified, and most importantly, patients’ ePHI will not be exposed if devices are lost or stolen.
While HIPAA Rules do not require encryption to be used to protect ePHI on portable storage devices, if the decision is taken not to use encryption, an equivalent safeguard must be used.
While the use of a strong password may prevent data being accessed by thieves, it would not be sufficient to prevent a determined individual from gaining access to a device. A strong password is therefore not a safeguard equivalent to encryption. OCR would determine the use of a password – rather than encryption – to be a violation of the HIPAA Security Rule.
The simple solution to ensure that ePHI is safeguarded is to use encryption (following NIST recommendations) on all portable devices used to store ePHI. While encryption carries a cost, it is likely to be much cheaper than an OCR fine. The decision not to encrypt data on portable storage devices ended up costing CardioNet $2.5 million.