3,725 Veterans have Private Data Exposed Due to Stolen Laptop

by | Oct 4, 2017

Almost 4,000 people have potentially had their sensitive patient data exposed in Spokane, WA after a laptop computer once used by the Mann-Grandstaff VA Medical Center (MGVAMC) has been reported as missing.

The laptop device was paired with a hematology analyzer and held information that referred to the results of hematology tests. The laptop was in use by MGVAMC from April 2013 to May 2016, but was decommissioned when the device became unusable. This particular laptop device, which had been provided by a vendor, was replaced.  however, an equipment inventory has revealed the laptop device is now missing.

The laptop device should have been returned to the vendor. However the vendor has no record of the laptop device ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab showed the laptop device was missing. A thorough search of the medical center was carried out but the laptop device could not be found.

Specific details like exactly what information had been stored on the device, or the exact number of patients whose protected health information may have been exposed could not be identified. MGVAMC concluded all patients who provided samples for hematology tests during the dates that the laptop was in use potentially had thier data exposed.

The types of private information stored on the device would have included names, dates of birth, and Social Security numbers according to a statement released by MGVAMC. 3,275 patients have possibly been affected. The individuals have been advised of the possible HIPAA breach. Where applicable, patients will be offered credit monitoring and identity theft protection services free of charge.

Whenever equipment holding electronic protected health information is decommissioned, HIPAA-covered bodies must ensure all data is rendered unreadable, indecipherable, and otherwise cannot be put together so as to read the information.

The HIPAA Security Rule 45 CFR 164.310(d)(2)(i) stipulates that the physical safeguards  require covered entities to implement policies and procedures to address the final disposition of ePHI and/or the hardware on which it is held, while 45 CFR 164.310(d)(2)(ii) requires covered entities to formulate and put in place procedures for the removal of ePHI from electronic media before the media are made available for re-use.

An OCR recommendation advises clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying/terminating the media (disintegration, pulverization, melting, incinerating, or shredding). If devices are sourced from vendors, the method for wiping the devices prior to decommissioning should be discussed with the vendor and policies developed properly.

In reaction this incident, the Mann-Grandstaff VA has formulated a new policy for sanitizing electronic media prior to disposal, decommissioning or returning laptop devices to suppliers to avoid further potential violations of ePHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy