PHI of up to 2,000 Veterans Obtained Following Theft of USB Drives

Two USB drives storing the protected health information of up to 2,000 veterans have been stolen from the Man-Grandstaff VA Medical Center in Spokane, WA it has been reported.

The two USB devices were being used to store protected data from a standalone, non-networked server that was being put out of service. One of the USB devices stolen was the master drive used to move the medical center’s Anesthesia Record Keeper database to its virtual archive server. In a statement released by VA Medical Center it stated that this transfer had taken place in January. It has not been revealed as to why the database was still stored on the drive.

The devices were illegally obtained on July 18, 2017 from a contract employee who was attended to a service call to a VA hospital in Oklahoma City.

Man-Grandstaff VA Medical Center was not able to deduce precisely what information was contained on the USB drives, although the database on the virtual archive server was searched and found to contain full names, addresses, phone numbers, surgical information, insurance information, and Social Security details.

1,915 subscribers, who have possibly been affected are being made aware of the violation by mail and have been offered free credit monitoring services for one year.

In September this year, the same medical center revealed another data breach had been experienced. An unencrypted laptop device that was used as an interface with a hematology analyzer was found to be missing. The data on the laptop contained names, dates of birth, and the Social Security numbers of almost 3,200 veterans.  After that HIPAA breach, the medical center put in place a system that allows technological devices to be remotely qipd in the event of loss or theft.

While moving or storing data on small portable devices such as USB, pen, or zip drives is a useful method, the devices are easily misplaced, lost, stolen or otherwise obtained. The loss of a USB drive storing or holding PHI is a reportable HIPAA breach and one that could possibly lead to a major regulatory financial sanction.

There are now a multitude of cloud-based storage options that allow data to be easily accessed and shared among organizations. HIPAA covered bodies still utilizing these small portable devices to store PHI should consider removing these from service and switching to HIPAA-compliant cloud-storage.

Before using any cloud storage service, HIPAA covered groups should complete a signed, HIPAA-compliant business associate agreement and train members of staff on the correct use of the storage service.

Should there be no solution other than using the USB drives, any PHI kept on the devices should be encrypted to prevent unauthorized access if the device is loss or stolen, or a different security measure that provides an equivalent level of security for the USB device.