Medical College of Wisconsin: Possible HIPAA Violations

The Medical College of Wisconsin has release a statement revealing that a data breach suffered has affected approximately 400 of its patients.

WDJT Milwaukee, an affiliate of CBS, was contacted on Feb 28, 2015 by a spokesperson for the Medical College of Wisconsin advising of a breach which exposed some confidential information of its patients. The breach happeneded on February 15, 2015, when a document and a laptop computer were taken from a physician’s car. The document contained sensitive information relating to approximately 400 patients. The laptop is understood only to have contained the information of a solitary patient.

It is not obvious exactly what information was stored on the laptop computer or in document at this time; although MCW has confirmed that no Social Security numbers or patient addresses were stolen.

Despite legislation that requires data encryption to be addressed, the healthcare industry has been slow to respond and use data encryption on its desktop workstations, laptop computers and other portable storage devices. Data encryption ensures that if a device is stolen, no information can be accessed by unauthorized people. When it is not used, a laptop theft can access the data of thousands, if not hundreds of thousands of patient records.

HIPAA does not require data encryption, only that it be addressed. If a similar level of protection can be supplied by other means, healthcare organizations are entitled to use these instead.

At The Medical College of Wisconsin, data encryption and other security controls are used in accordance with HIPAA regulations, yet these have been bypassed by a doctor.

The statement said, “Firm policies are in place prohibiting the downloading of patient information to portable media, as well as the secured transport of documents containing patient information.” It added “A violation of these policies occurred on February 15, 2015, resulting in the theft of a document containing private information on approximately 400 patients, as well as information stored on a laptop computer pertaining to one patient.”

All affected patients are now being contacted to advise them of the breach and the information that has been obtained illegally, and also to warn them to the possibility that their information may be used inappropriately. The Medical College of Wisconsin has also confirmed that it has now taken action to prevent further breaches of this nature from happening.

It is clear that a privacy violation has happened, although at this stage it is unknown to what extent HIPAA violations have occurred and who is to blame. suggest that the data on the laptop was not encrypted, which violates the privacy policies on the company website which state that electronic protected information (EPI) must be encrypted at all times.