- Two recent health data breaches were reported after facilities in Louisiana and Vermont had laptops and other devices were stolen. Incidents like this further prove why healthcare organizations need to have physical, administrative, and technical safeguards in place. Employees need to be properly trained on how to handle devices containing patient PHI and those devices should have the necessary security measures.
LSU Health facility reports stolen laptop containing PHI
LSU Health New Orleans School of Medicine reported that a laptop containing the PHI of approximately 5,000 minor patients was stolen out of a physician’s car between the evening hours of July 16 and the early morning hours of July 17, 2015.
Potentially exposed information includes patient names, dates of birth, dates of treatment, descriptions of patients’ conditions, treatments, and outcomes, lab test results, radiological and ultrasound images, medical record numbers, and diagnosis and treatment information. However, Social Security numbers and financial data were not stored on the laptop.
Dr. Christopher Roth, Assistant Professor of Urology, said that the laptop was in his car, parked outside of his house. He reported the device missing on July 17 but the device has not yet been recovered.
According to the LSU Health statement, information on the laptop was not saved to LSU Health Sciences Center New Orleans servers. Instead, data was saved to the laptop’s hard drive, so the school cannot access specific data stored on the device.
“The process to reconstruct and ready notifications took nearly eight weeks to complete,” LSU Health explained. “It is unknown whether any specific patient’s data were on the stolen laptop, however those patients the university suspects may have been affected will receive individual notification by mail, along with information about protecting against identity theft.”
Patients who saw Dr. Roth from July 2009 to July 16, 2015 and do not receive a notification letter are encouraged to reach out to the university, according to the statement. LSU Health explained that even with the “exhaustive investigation” to determine which patients were affected, there could still be unidentified patients whose information was potentially exposed.
LSU Health added that it has a mobile device policy that “prohibits users from leaving SYSTEM-owned mobile devices unattended,” and that the policy was not followed in this particular case:
The policy was not adhered to in this instance, and appropriate disciplinary action will be taken at the conclusion of the investigation. In addition, the university is reviewing its information security policies and procedures to determine if improvements can be made to further reduce the risk of such a breach in the future. Any changes will be included in the information security training that all employees and students are required to complete.
Office break in leads to health data security breach
Vermont physician Max M. Bayard, MD PC reported that his offices were broken into on August 5, 2015, and “computer devices” were stolen. Law enforcement was immediately notified upon the theft’s discovery, according to a statement posted to Bayard’s website.
Potentially exposed information varies between patients, the statement explained, but patients’ names, Social Security numbers, and other limited treatment-related information may have been on the devices. In some cases dates of birth, Medicare/Medicaid enrollment information, dates of treatment, types of treatment, and diagnoses may have been included.
The Vermont office is also taking necessary steps to prevent a similar incident from happening in the future, according to a copy of the notification letter sent to patients.
“Immediately upon discovery of the theft, we changed the firewall password, and changed all software-related, login, and email account passwords,” the letter stated. “We are also taking additional steps to prevent this type of event from occurring in the future, including installing security cameras, securing the computers in a safe when not in use, encrypting all computers, and reviewing our policies and procedures for the secure storage of personal information.”
Neither the website notification or copy of the notification letter sent to patients said how many individuals were potentially affected. However, the Office for Civil Rights breach reporting tool shows that 2,000 patients were affected by this health data breach.