At a single Texas healthcare facility, two separate breaches involving electronic mobile devices have occurred in this year alone.
The first took place in April, when an unencrypted laptop computer was stolen from a faculty member’s home. Although it is not believed that the laptop was stolen for the information it contained, it did contain patients’ names, medical records, treatments and Social Security numbers. The breach affected 30,000 individuals.
The second breach incident occurred a few months later in July, when a hospital trainee lost an unencrypted portable hard drive on an employee shuttle bus. The USB flash drive contained patients’ names, dates of birth and treatment information. This incident affected close to 2,200 patients. In both incidents, the hospital quickly alerted the patients involved and implemented two practices to better protect their patients: training employees on the importance of properly handling sensitive electronic protected health information (EPHI), and encrypting portable devices and computers maintained by the hospital. Encryption makes it more difficult for an unauthorized user to retrieve data from the device.
About 53 percent of all security breaches since September 2009 stem from the loss or theft of unencrypted computing devices or storage media. Although these were unforeseen circumstances, there are ways to reduce and prevent information breach incidents.
- Communicate and train all staff regularly about the importance of privacy and security as well as the definition of HIPAA breaches.
- Perform a risk analysis at your organization to determine your level of risk.
- Encrypt information on computers and portable devices.
- Implement an access monitoring system to report unauthorized access to protected information.
- Learn how to prevent your mobile devices from causing a HIPAA violation.
- Learn how to handle threats and breaches.
- Utilize a company wide mobile device policy.
If there is a breach at your organization, regardless of the cause, it is important to accept responsibility. Report the breach to the proper authorities and then communicate to all of the patients involved. The hospital discussed in this case study posted the breach on their website as well as sent letters to out to patients.
These two breaches motivated the hospital to accelerate their efforts to provide better security for protected health information. Although the organization deeply regrets the inconvenience caused by the incidents, losing the trust of their patients may be one permanent consequence. Healthcare organizations and professionals should learn from their mistakes and make safeguarding protected health information a high priority.
HIPAA Case Study Sources
http://www.databreachtoday.com/cancer-center-reports-2nd-data-breach-a-5048
http://www.mdanderson.org/about-us/compliance-program/substitute-notice.html
http://www.databreachtoday.com/25-health-breaches-added-to-tally-a-5059
