PHI of up to 2,000 Veterans Obtained Following Theft of USB Drives

by | Nov 8, 2017

Two USB drives storing the protected health information of up to 2,000 veterans have been stolen from the Man-Grandstaff VA Medical Center in Spokane, WA it has been reported.

The two USB devices were being used to store protected data from a standalone, non-networked server that was being put out of service. One of the USB devices stolen was the master drive used to move the medical center’s Anesthesia Record Keeper database to its virtual archive server. In a statement released by VA Medical Center it stated that this transfer had taken place in January. It has not been revealed as to why the database was still stored on the drive.

The devices were illegally obtained on July 18, 2017 from a contract employee who was attended to a service call to a VA hospital in Oklahoma City.

Man-Grandstaff VA Medical Center was not able to deduce precisely what information was contained on the USB drives, although the database on the virtual archive server was searched and found to contain full names, addresses, phone numbers, surgical information, insurance information, and Social Security details.

1,915 subscribers, who have possibly been affected are being made aware of the violation by mail and have been offered free credit monitoring services for one year.

In September this year, the same medical center revealed another data breach had been experienced. An unencrypted laptop device that was used as an interface with a hematology analyzer was found to be missing. The data on the laptop contained names, dates of birth, and the Social Security numbers of almost 3,200 veterans.  After that HIPAA breach, the medical center put in place a system that allows technological devices to be remotely qipd in the event of loss or theft.

While moving or storing data on small portable devices such as USB, pen, or zip drives is a useful method, the devices are easily misplaced, lost, stolen or otherwise obtained. The loss of a USB drive storing or holding PHI is a reportable HIPAA breach and one that could possibly lead to a major regulatory financial sanction.

There are now a multitude of cloud-based storage options that allow data to be easily accessed and shared among organizations. HIPAA covered bodies still utilizing these small portable devices to store PHI should consider removing these from service and switching to HIPAA-compliant cloud-storage.

Before using any cloud storage service, HIPAA covered groups should complete a signed, HIPAA-compliant business associate agreement and train members of staff on the correct use of the storage service.

Should there be no solution other than using the USB drives, any PHI kept on the devices should be encrypted to prevent unauthorized access if the device is loss or stolen, or a different security measure that provides an equivalent level of security for the USB device.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy