3,725 Veterans have Private Data Exposed Due to Stolen Laptop

Almost 4,000 people have potentially had their sensitive patient data exposed in Spokane, WA after a laptop computer once used by the Mann-Grandstaff VA Medical Center (MGVAMC) has been reported as missing.

The laptop device was paired with a hematology analyzer and held information that referred to the results of hematology tests. The laptop was in use by MGVAMC from April 2013 to May 2016, but was decommissioned when the device became unusable. This particular laptop device, which had been provided by a vendor, was replaced.  however, an equipment inventory has revealed the laptop device is now missing.

The laptop device should have been returned to the vendor. However the vendor has no record of the laptop device ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab showed the laptop device was missing. A thorough search of the medical center was carried out but the laptop device could not be found.

Specific details like exactly what information had been stored on the device, or the exact number of patients whose protected health information may have been exposed could not be identified. MGVAMC concluded all patients who provided samples for hematology tests during the dates that the laptop was in use potentially had thier data exposed.

The types of private information stored on the device would have included names, dates of birth, and Social Security numbers according to a statement released by MGVAMC. 3,275 patients have possibly been affected. The individuals have been advised of the possible HIPAA breach. Where applicable, patients will be offered credit monitoring and identity theft protection services free of charge.

Whenever equipment holding electronic protected health information is decommissioned, HIPAA-covered bodies must ensure all data is rendered unreadable, indecipherable, and otherwise cannot be put together so as to read the information.

The HIPAA Security Rule 45 CFR 164.310(d)(2)(i) stipulates that the physical safeguards  require covered entities to implement policies and procedures to address the final disposition of ePHI and/or the hardware on which it is held, while 45 CFR 164.310(d)(2)(ii) requires covered entities to formulate and put in place procedures for the removal of ePHI from electronic media before the media are made available for re-use.

An OCR recommendation advises clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying/terminating the media (disintegration, pulverization, melting, incinerating, or shredding). If devices are sourced from vendors, the method for wiping the devices prior to decommissioning should be discussed with the vendor and policies developed properly.

In reaction this incident, the Mann-Grandstaff VA has formulated a new policy for sanitizing electronic media prior to disposal, decommissioning or returning laptop devices to suppliers to avoid further potential violations of ePHI.