9387 Patients’ PHI Exposed Due to Lack of Encryption on Hard Drive

by | Jan 13, 2018

Charles River Medical Associates, based in Framingham, MA-based, has discovered that one of its portable hard drives was missing, possibly affecting the PHI of almost 9,400 people

Last November, the practice discovered that the device  which contained x-ray images, names, patient ID numbers, and birth dates was missing. Every clientpatient who had been treated at the Framingham radiology lab for a bone density scan since 2010 had their x-ray images accessed.

The hard drive in question was used by the practice as a backup device and updated the stored data every month with bone density scans from the past month. The last time the device was put into use was during completion of the October data backup. In late November 2017 , when the monthly backup was scheduled to be completed, the portable drive could not be located.

A full search of the premises was completed, which took several weeks, but the device could not be found. All employees were asked about the whereabouts of the drive, but no one had seen the device in the past month.

Charles River Medical Associates has now stated the device lost and the search has come to an end. Brian Parillo, executive director of Charles River Medical Associates stated, “It’s hard to speculate on what could have happened to it.”

Any device containing unencrypted protected health information going missing is a reportable incident under HIPAA Rules and patients must be made aware of the potential breach of their data. In line with HIPAA Rules, the incident has now been made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) and patients have been advised of the HIPAA breach by mail.

While the drive is thought to have been lost rather than illegally taken, it is possible that the device has been found and the data saved on the drive viewed by unauthorized people. Patients have therefore been told to take steps to protect themselves against any negative impact from the incident, including obtaining credit reports and checking their credit accounts for any sign of fraudulent actions.

However, since no Social Security details, financial data, or health insurance details were saved on the device, the potential for identity theft and fraud is minimal.

Due to the incident, the decision has been taken to stop using unencrypted portable drives to complete backups. A full security audit has also been carried out to identify other potential weaknesses in confidentiality, integrity, and availability of PHI, a review of hardware has been finished, and staff have been retrained on privacy processed.

The breach report filed to the OCR shows 9,387 people have been affected by the incident.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy