HIPAA Blog

[ Friday, January 27, 2006 ]

 

Providence Health System (Oregon) records theft: Here's another one. An employee took home computer disks and tapes containing PHI (names, addresses, and social security numbers, as well as medical information) on about 365,000 home care patients. No hospital or clinic records were involved. The records were locked in the employee's minivan, which was parked in the driveway when someone smashed in a window and stole the disks and tapes. The disks and tapes were in a laptop bag, but there was no laptop in the bag. Perhaps the thief saw the bag and thought he'd steal a computer. The information was not encrypted.

What were they thinking? Well, Providence had managers take home backup information on home care patients because they wanted to have the information available if there was a patient emergency AND a computer system failure at the same time. If that happened, the manager would be able to access the information that would otherwise be tied up in the computer system failure. But the road to hell gets paved with good intentions when they're carried out carelessly.

Of course, I'm betting that the thief threw the whole computer bag away once he opened it and figured out there wasn't anything worthwhile in there. Then again, my information isn't on one of those disks. . . .

More here, and the Providence statement is here. And, via Raymond Shelton, the slashdot thread (if you want running commentary).

Jeff [10:08 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template