Share this article on:
Woodhull Medical and Mental Health Center Data Breach Announced
The New York City Health and Hospitals Corporation (HHC) has sent breach notification letters to 1,581 patients of its Brooklyn Woodhull Medical and Mental Health Center, after a laptop computer was discovered to have been stolen.
The laptop computer was password protected, but data stored on its hard drive had not been encrypted. As a result, the Protected Health Information of some of its patients could potentially have been compromised.
Data potentially exposed in the incident include patient names, medical record numbers, narrative physicians’ summaries and medical test results. No insurance information, Social Security numbers or other data typically used to commit identity theft were stored on the laptop.
The theft of healthcare laptop computers is a regular occurrence. The Department of Health and Human Services’ Office for Civil Rights breach portal contains many examples of HIPAA-covered entities that have failed to secure the portable devices. Over the past three months, over 20 cases of portable device theft have been reported to the OCR. The majority of those incidents could have been prevented had members of staff taken better care of their computer equipment.
Physical Controls Had Been Used to Prevent Device Theft
This security breach differs, as Woodhull Medical and Mental Health Center had taken steps to ensure that the laptop computer was protected. The device had been locked to an electromyograph machine, yet this was insufficient to prevent it from being stolen. Between the evening of August 18, 2015 and the afternoon of August 19, the laptop was removed from an examination room within the Woodhull Medical and Mental Health Center.
The theft does suggest the person responsible stole the laptop computer to sell on, rather than stealing it for the data it contained. As a result, HHC does not believe there is a high risk of the data being used inappropriately. Password protection should also prevent the data from being viewed by the perpetrator of the crime.
That said, HHC is taking no chances and is providing all victims with identity theft protection services as a precaution, and has taken the decision to encrypt all portable devices to prevent any future incidences of equipment theft from potentially exposing the PHI of patients.
This is over and above what is required by HIPAA Rules, and demonstrates the commitment of HHC to protect patient privacy. Members of staff will also be provided with additional training on security awareness, and a review of internal policies and procedures will also take place. Supplemental physical protections will be implemented, as appropriate, to reduce the opportunity for future medical and portable device theft.
Password Protection Not Sufficient to Prevent PHI from being Accessed
Password protection affords a certain degree of security, which can prevent opportunistic thieves from gaining access to stored data, but passwords can easily be cracked. Consequently, HIPAA breach notification letters must be issued to patients to alert them to the possibility that their information has been exposed following the theft of a password protected devices used to store PHI. Only when data has been encrypted, will a HIPAA breach notice not be required following the theft of a portable electronic device.