9387 Patients’ PHI Exposed Due to Lack of Encryption on Hard Drive

Charles River Medical Associates, based in Framingham, MA-based, has discovered that one of its portable hard drives was missing, possibly affecting the PHI of almost 9,400 people

Last November, the practice discovered that the device  which contained x-ray images, names, patient ID numbers, and birth dates was missing. Every clientpatient who had been treated at the Framingham radiology lab for a bone density scan since 2010 had their x-ray images accessed.

The hard drive in question was used by the practice as a backup device and updated the stored data every month with bone density scans from the past month. The last time the device was put into use was during completion of the October data backup. In late November 2017 , when the monthly backup was scheduled to be completed, the portable drive could not be located.

A full search of the premises was completed, which took several weeks, but the device could not be found. All employees were asked about the whereabouts of the drive, but no one had seen the device in the past month.

Charles River Medical Associates has now stated the device lost and the search has come to an end. Brian Parillo, executive director of Charles River Medical Associates stated, “It’s hard to speculate on what could have happened to it.”

Any device containing unencrypted protected health information going missing is a reportable incident under HIPAA Rules and patients must be made aware of the potential breach of their data. In line with HIPAA Rules, the incident has now been made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) and patients have been advised of the HIPAA breach by mail.

While the drive is thought to have been lost rather than illegally taken, it is possible that the device has been found and the data saved on the drive viewed by unauthorized people. Patients have therefore been told to take steps to protect themselves against any negative impact from the incident, including obtaining credit reports and checking their credit accounts for any sign of fraudulent actions.

However, since no Social Security details, financial data, or health insurance details were saved on the device, the potential for identity theft and fraud is minimal.

Due to the incident, the decision has been taken to stop using unencrypted portable drives to complete backups. A full security audit has also been carried out to identify other potential weaknesses in confidentiality, integrity, and availability of PHI, a review of hardware has been finished, and staff have been retrained on privacy processed.

The breach report filed to the OCR shows 9,387 people have been affected by the incident.