- In late 2015, the Indiana University Health Arnett (IU Health Arnett) discovered that it fell victim to a healthcare data breach when an unencrypted storage device went missing from its emergency department.
According to a hospital statement, the device was discovered as missing on November 20, 2015. Although the hospital has yet to locate the device, IU Health Arnett officials state that they are continuing their search for the device, and there is currently no reason to believe that the information stored on it has been misused.
The device reportedly contained spreadsheets with limited health information belonging to emergency department patients between November 1, 2014 and November 20, 2015. NPR’s Chris Morisse Viza reports that those spreadsheets accounted for approximately 30,000 IU patients.
Possibly compromised health information includes patient names, dates of birth, ages, home telephone numbers, medical record numbers, dates of services, diagnoses, and treating physicians. These spreadsheets did not contain any Social Security numbers, financial information, or medical records.
In an effort to handle the incident, IU Health Arnett states that it will continue searching for the lost device. Likewise, the hospital has sent data breach notification letters to all of the potentially affected individuals, per HIPAA regulations.
IU Health Arnett maintains that patient privacy is one of its largest concerns, and that it will be reassessing security procedures to ensure that incidents such as this do not occur in the future.
“IU Health Arnett takes very seriously its obligation to maintain patient information secure, and we appreciate the trust our patients place in us,” the hospital explained in a press release. “We are taking steps to enhance the protection of portable storage devices and are reviewing policies and procedures to minimize the chance of such an incident occurring in the future.”
This is not the first time IU Health Arnett has suffered a healthcare data breach. In May of 2013, IU Health Arnett notified over 10,000 patients that there had been an unencrypted laptop theft which exposed some of their health information.
Breached information may have included patient names, dates of birth, physicians’ names, medical record numbers, diagnoses, and dates of birth. No Social Security numbers reportedly were exposed. As in this most current situation, there was no reason to believe any of this information had been misused.
In the aftermath of the 2013 healthcare data breach, IU Health Arnett explained that it would reassess its health data privacy procedures and reinforce the health data privacy training the hospital provides for its employees.
“Arnett takes very seriously its obligation to keep the information it maintains secure and we appreciate the trust that you place in us,” the hospital explained after the 2013 breach. “Arnett is reviewing its policies and procedures to minimize the chance of such an incident occurring in the future. In addition, Arnett has mandatory privacy and security training for all of its workforce members.”