[ Wednesday, October 12, 2011 ]
Today's data breach news
: As seems so often to be the case, portable data storage is the Achilles heel of PHI security. In New Hampshire
, a flash drive with data of 2000 patients was stolen from a clinic employee's car. The flash drive was in a computer bag in a locked car; presumably the thief thought he was getting a computer, not a flash drive. The data apparently wasn't encrypted, but fortunately it didn't have social security numbers or credit card numbers either.
Meanwhile, in Baltimore
, the lawyer representing Dr. Mark Midei (the alleged stent over-user) in multiple malpractice claims lost a portable hard drive containing medical records of 161 of the plaintiffs. This one makes for some interesting reading. The law firm claims that the data was taken home nightly as a security precaution (basically, a data backup). But the data wasn't encrypted. And the firm waited two months before sending notice letters. The firm isn't a covered entity, but it's certainly a business associate, which would make it subject to the HIPAA Security Rule and the privacy provisions of HITECH. The plaintiff lawyer is pretty sanguine about it, calling it an honest mistake. I suspect the data has long been erased and this breach won't ever result in harm to the individuals whose data was on there (like the New Hamshire case, the value of the hard drive to a likely thief would be the hardware, not the data), but it's a pretty bad story.
Jeff [9:21 AM]
Blogger: HIPAA Blog - Edit your Template