- A New York City medical and mental health center recently reported a potential PHI data breach after a laptop containing patient information was stolen, underscoring the importance of encrypting devices on which patient health data is stored.
The laptop belonged to Woodhull Medical and Mental Health Center, a part of the New York City Health and Hospitals Corporation (HHC). According to a health data breach notification letter, the laptop had been stolen from a patient exam room between the night of August 18, 2015 and the afternoon of August 19, 2015.
Although the laptop was securely locked and password-protected, it was not encrypted, potentially putting at risk any PHI that was stored on the laptop. However, HHC states that it has no reason to believe that the laptop was stolen to facilitate fraudulent actions with the PHI, but instead that it was most likely stolen for the market value of the laptop.
Potentially compromised information includes patient names, medical numbers, test results, and brief clinical notes. The notification letter made no mention to Social Security numbers or other medical billing information.
According to an HHC press release, the agency notified the 1,581 potentially affected individuals about the health data breach via letters. Additionally, HHC and Woodhull stated that they contacted the New York City Police Department regarding the incident, and are currently undergoing an investigation.
In order to prevent similar incidents in the future, Woodhull is reportedly implementing several safeguards. First, Woodhull examines its current security measures to identify weak spots in need of improvement. Second, Woodhull states it is looking into additional security measures to implement. Third, Woodhull is readministering security awareness training for all staff to underscore the importance of health data security.
Woodhull also explains that it has enlisted the services of Kroll, a third-party identity theft protection agency, to provide identity theft protection services to potentially affected individuals. Additionally, Woodhull encourages potentially affected individuals to review their medical records to ensure there is not any inconsistent or suspicious information included.
Woodhull expressed regret that the situation occurred, and offered an apology to those potentially affected.
“We at Woodhull take our role of safeguarding your personal information and using it in an appropriate manner very seriously,” the provider said in its notification letter. “Woodhull apologizes for the concern this incident may have caused and assures you that we are doing everything we can to prevent an incident of this nature from reoccurring.”
Stolen laptops are a fairly common source for health data breaches. As reported by HealthITSecurity.com, Oklahoma University Department of Urology recently experienced a laptop theft resulting in the breach of nearly 9,000 patients’ health information.
The OU laptop, which belonged to a former employee of the hospital, was stolen in late August. The laptop may have contained a spreadsheet which listed patient names, diagnoses, treatment codes, dates of treatment, dates of birth, descriptions of urologic medical treatment or procedure, medical record numbers, and physician names.
Likewise, this laptop was password-protected but unencrypted. These two incidents emphasize the critical importance of keeping devices containing patient health data encrypted to safeguard against unauthorized access.