U.S HealthWorks HIPAA Breach Raises Issue of Data Encryption
U.S. HealthWorks, a healthcare provider based in Valencia, California, has reported a breach of PHI and PII after an unencrypted laptop computer was stolen from the vehicle of a company employee.
Theft of Laptop Computer from Unattended Vehicle
The incident occurred on April 21, 2015 and was discovered by the healthcare provider the following day. The sample breach notification letter – posted on the State of California DoJ Attorney General’s website – explains that a company employee had taken a laptop computer and left it in a vehicle from where it was stolen. Upon discovering the theft, the incident was reported to law enforcement officers and an investigation was commenced.
U.S HealthWorks started an internal investigation to determine the exact nature of the data stored on the laptop; a process which has taken some time to complete. According to the breach notification letter – dated May 30, 2015 – it took until May 5, 2015 to determine that the laptop computer was password protected but lacked data encryption software. The healthcare provider was able to determine that Protected Health Information (PHI) and Personally Identifiable Information (PII) could be accessed through the device. The number of individuals affected by the HIPAA breach as yet to be disclosed to the media.
The information potentially exposed includes names, addresses, dates of birth, job titles and Social Security numbers. In Accordance with the Health Insurance Portability and Accountability Act, credit protection services are being offered without charge for a period of one year to mitigate any damage caused, although the healthcare provider believes there is a low risk of any information being used. Credit monitoring services were only provided “out of an abundance of caution.”
Password Protection not Sufficient to Prevent Access to PHI
Passwords can offer a degree of security; however they do not enough to prevent a HIPAA violation. Hackers are able to crack passwords, and without data encryption, any information stored on an electronic device can potentially be accessed and viewed if it is lost or stolen.
In order to improve security and prevent future data breaches the company will be taking a number of actions. According to the breach notice, “To help prevent something like this from happening again, we are enhancing our procedures related to deployment of laptops and full disk encryption.” The notice also says that regular audits will also be conducted “to help ensure compliance with U.S HealthWorks’ laptop encryption policy.”
U.S HealthWorks is a subsidiary of Dignity Health, and operates more than 200 clinics in 19 states, and is one of the nation’s largest workplace healthcare providers.
Issue of Data Encryption for Portable Devices Raised Again
Data encryption is not a requirement under the Health Insurance Portability and Accountability Act; it is only an “addressable” area.
According to the Department of Health and Human Services’ Office for Civil Rights:
“The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework”
“This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.”
It may be against company policy to leave unencrypted laptops in unattended vehicles, but if members of staff are permitted to take portable devices containing PHI outside the area of control of the hospital then there is a considerable risk of a data breach. This should have been picked up in a risk assessment, and serious consideration given to encrypting the devices.
It is not clear in this case why the company elected not to use data encryption and what, if any, alternative methods were employed to protect the data aside from a password. That is something that will need to be explained to the OCR if its auditors come knocking.