Chesapeake Regional Healthcare has found that two hard drives storing the protected health information (PHI) of around 2,100 patients ave gone missing from the Chesapeake Regional Medical Center campus located in Chesapeake, Virginia.
The data saved on the devices relates to people who took part in studies at its Sleep Center between April 2015 and February 2018.
It is currently unclear the exact time that hard drives went missing. Chesapeake Regional Healthcare found that the devices were missing on February 6, 2018. An internal review was begun, and a full search of the facility was completed, but the devices could not be found. The missing hard drives have been reported as lost/stolen to law enforcement agencies, but Chesapeake Regional Healthcare said the chance of the devices being recovered is minimal and it does not expect the devices to be located.
The hard drives did not contain encryption. If obtained by a third party, the protected health information of patients could possibly be accessed. The types of data saved on the devices includes names, demographic information, birth dates, unique patient identifiers, details of the procedures and tests carried out at the Sleep Center, and data on medications that were prescribed. Social Security numbers, addresses, insurance information, and financial data were not held on the device.
Chesapeake Regional Healthcare is employing steps to ensure similar breaches do not happen going forward. Those steps include enhacing policies related to the security of PHI stored on portable electronic devices. It is not yet clear whether the new tactics will include data encryption.
Chesapeake Regional Healthcare is, at present, in the process of sending alerts to patients, who are being offered 12 months of free credit monitoring and identity theft protection services. Should patients discover their health information has been used inappropriately, help will be offered to help address any harm felt.