Share this article on:
A physician from the University Of Oklahoma College of Medicine’s Department of Obstetrics and Gynecology became a victim of crime this summer, when a laptop computer was stolen from a vehicle where it had been temporarily housed. Unfortunately, the protected records of 7,693 patients were stored on the laptop and the device was not encrypted.
The laptop contained two separate lists of data, the first including information about patients who had visited either the Department of Obstetrics and Gynecology’s Outpatient Surgery Center or Presbyterian Tower center between January 1, 2009, and December 31, 2014. The lists contained the names of patients, the date a gynecologic or urogynecologic medical procedure was performed, details of that medical procedure, and admission and discharge dates. Also stored with that data were patient names, dates of birth, ages, medical record numbers and patient account numbers. No insurance information, financial details or Social Security numbers were exposed in the security breach.
The second list contained data about patients who had received inpatient medical services for high risk deliveries or other medical services relating to pregnancy. The patients affected had visited a University of Oklahoma medical center between September 24, 2014 and May 31, 2015. Their exposed Phi included an initial and last name, their age and some health data, including allergies, delivery date, lab test results, pregnancy information, including problems suffered, and any medications that were prescribed.
The theft occurred on June 12, 2015, and was reported to the University the same day, immediately after the physician had alerted local law enforcement officers to the theft. An internal investigation was launched by the University to determine the exact data stored on the laptop and the patients affected. Law enforcement are also investigating, although to date the laptop has not been recovered.
On July 3, the Department of Health and Human Services’ Office for Civil Rights was notified of the breach, and breach notices have now been sent to all affected individuals for whom a valid postal address was stored. A notice has also now been placed on the University website.
Out of an abundance of caution, victims of the data breach are being offered credit monitoring and credit protection services for a period of one year without charge. Details of how to activate those services are detailed in the notification letters.
The Spate of Equipment Theft Continues
During the past few weeks, numerous healthcare providers have reported security breaches caused by the theft of desktop computers and portable devices containing Protected Health Information. Data encryption is not mandatory under HIPAA Rules; although it is an addressable issue and can prevent HIPAA breaches.
The Office for Civil Rights may not issue a financial penalty for failing to encrypt data, but a data breach can trigger a compliance audit. Any HIPAA violations discovered could result in action being taken against that entity.
However, if data encryption is employed on all equipment used to store PHI – laptops, tablets, Smartphones, zip drives and other portable storage devices – if they are ever lost or stolen, no data will be exposed and breach costs will be avoided. Given the high risk of breaches involving laptops and mobile devices, and the high costs of resolving data breaches, data encryption can be seen as a prudent investment.