Dexcomm Blog

HIPAA Case Study: 1 Facility, 2 Separate Breaches Involving Mobile Devices

September 18, 2012

At a single Texas healthcare facility, two separate breaches involving electronic mobile devices have occurred in Laptop and dicsthis year alone.  

The first took place in April, when an unencrypted laptop computer was stolen from a faculty member’s home.  Although it is not believed that the laptop was stolen for the information it contained, it did contain patients’ names, medical records, treatments and Social Security numbers.  The breach affected 30,000 individuals.   

 

USB

The second breach incident occurred a few months later in July, when a hospital trainee lost an unencrypted portable hard drive on an  employee shuttle bus.  The USB flash drive contained patients’ names, dates of birth and treatment information.  This incident affected close to 2,200 patients.    In both incidents, the hospital quickly alerted the patients involved and implemented two practices to better protect their patients: training employees on the importance of properly handling sensitive electronic protected health information (EPHI), and encrypting portable devices and computers maintained by the hospital.  Encryption makes it more difficult for an unauthorized user to retrieve data from the device.     

About 53 percent of all security breaches since September 2009 stem from the loss or theft of unencrypted computing devices or storage media.  Although these were unforeseen circumstances, there are ways to reduce and prevent information breach incidents. 

 

  1. Communicate and train all staff regularly about the importance of privacy and security as well as the definition of HIPAA breaches.
  2. Perform a risk analysis at your organization to determine your level of risk.
  3. Encrypt information on computers and portable devices.
  4. Implement an access monitoring system to report unauthorized access to protected information.
  5. Learn how to prevent your mobile devices from causing a HIPAA violation.
  6. Learn how to handle threats and breaches.
  7. Utilize a company wide mobile device policy.

 

If there is a breach at your organization, regardless of the cause, it is important to accept responsibility.  Report the breach to the proper authorities and then communicate to all of the patients involved.  The hospital discussed in this case study posted the breach on their website as well as sent letters to out to patients.

 

These two breaches motivated the hospital to accelerate their efforts to provide better security for protected health information.  Although the organization deeply regrets the inconvenience caused by the incidents, losing the trust of their patients may be one permanent consequence.  Healthcare organizations and professionals should learn from their mistakes and make safeguarding protected health information a high priority.

 

HIPAA Case Study Sources

 

http://www.databreachtoday.com/cancer-center-reports-2nd-data-breach-a-5048

 http://www.mdanderson.org/about-us/compliance-program/substitute-notice.html

http://www.databreachtoday.com/25-health-breaches-added-to-tally-a-5059

 


Dexcomm is a Louisiana-based corporation that provides answering services to businesses and service agencies across the United States. We have been open since 1954, employ a staff of roughly 50 people, and our average client retention rate is 10+ years.

Connect With Us:

Twitter

Facebook

LinkedIn


 

Read More About The Author: Dexcomm

Want To Stay In The Know? Subscribe to our blog!

You can sign up to receive weekly or monthly copies of our latest blogs, keeping you current on best practices, tips, and expert insight into helping your business communicate at its very best.


why-use-an-answering-service-thumbWhen you do, we will send you our free infographic.

"Why Use an Answering Service?"

 

Subscribe Here!

Lists by Topic

see all