Healthcare Information Security

Latest Health Data Breaches News

St. Luke’s Cornwall Data Breach Due To Missing Thumb Drive

Recently reported healthcare data breaches include cases of device theft and improper disposal.

By Elizabeth Snell

St. Luke’s Cornwall Hospital (SLCH) reported a potential healthcare data breach after a USB thumb drive was stolen on October 31, 2015.

Possible healthcare data breach following missing USB thumb drive

After an investigation, SLCH determined that the thumb drive “appears to have included a file” that held certain patient information on it. Potentially exposed data includes patient names, medical record numbers, dates of service, types of imaging service received, and “administrative–type information used for internal business purposes.”

Social Security numbers and electronic medical records were not included, SLCH said in its statement.

“SLCH values the privacy and security of its patients’ information and is taking steps to prevent this type of event from happening in the future, including requiring password and encryption protection for all of its USB thumb drives, and the implementation of new systems that do not require the use of thumb drives or other mobile media devices,” SLCH explained.

While the SLCH statement did not list how many individuals were affected, the OCR data breach reporting tool has 29,156 individuals as being affected.

Several other potential data breaches were reported recently, including cases of improper disposal and device theft.

Data breach for Minnesota clinic after improper disposal   

Minneapolis, Minnesota-based Allina Health Isles Clinic announced that it had experienced a possible healthcare data breach after documents containing patient information were disposed of in private trash dumpsters, rather than a secure shredding bin.

Allina Health explained in a statement that the incident was discovered on October 27, 2015. There is no indication that any of the information was misused, the clinic added, and the “risk is very low” that an unauthorized individual saw the data.

Potentially compromised information includes patient names, dates of birth, medical record numbers, addresses, clinical information, the last four digits of Social Security numbers, and insurance information such as plan number. Allina Health added that this includes Social Security numbers for individuals whose health insurance identification number is their Social Security number.

Patients who had appointments at or were referred to the Allina Health Isles Clinic between April 6 and October 28, 2015 had notification letters sent to them in the mail.

“Upon discovering the situation, Allina Health promptly initiated an investigation and determined that the trash dumpster was located in a locked garage only accessible to individuals with authorized access,” Allina said. “The trash from the dumpster is picked up weekly and taken to a city-owned disposal center where it is eventually incinerated.”

Allina reported that the Isles Clinic containers have been replaced with ones clearly marked for shredding, and have additionally “retrained clinic staff to dispose of documents containing identifiable patient information into designated locked shredding containers daily.”

According to the OCR data breach reporting tool, 6,195 individuals were affected by this breach.

Texas rehabilitation hospital notifies 1,300 individuals of possible data breach

HealthSouth Rehabilitation Hospital, previously Reliant Rehabilitation Hospital Central Texas, is notifying 1,359 individuals that some of their PHI may have been compromised following a laptop theft.

The laptop was reportedly stolen from an employee’s vehicle on October 21, 2015, but HealthSouth learned of the incident on October 26. The device was password protected but was not encrypted, according to the statement.

The device may have included individuals’ names, addresses, dates of birth, Social Security numbers, phone numbers, insurance numbers, diagnoses, referral ID numbers or medical record numbers.

The rehabilitation hospital was recently acquired by another HealthSouth affiliate, the statement explains, and that it is HealthSouth’s policy to encrypt all laptops. However, the laptop in question had previously been used at Reliant.

“As part of HealthSouth’s post-acquisition integration process, all Reliant laptops were required to be returned and exchanged for encrypted HealthSouth laptops,” the statement reads. “The Reliant laptop at issue, however, was stolen before being returned to HealthSouth.”   


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks