PHI of 660 Patients Exposed Due to Missing Device

660 patients of Eastern Maine Medical Center are being notified that some of their protected health information may have been been exposed after a ortable hard drive, that stored sensitive information, has gone missing from its State Street facility, in Bangor, ME.

The device in question lacked encryption and data on the device could be obtained without the need for a password. It has not been confirmed that the device definitely was stolen, but it (the device) could not be found during a search of its facility. The drive was last seen in its normalplace on December 19, 2017 and was discovered that it was missing on December 22.

This device belonged to a business associate of Eastern Maine Medical Center and stored limited patient data. No Social Security numbers, financial information, or health insurance particulars were present on the device, only full names, birth dates, dates of service, medical record details, one-word condition descriptors, and procedural pictures.

The patients affected by the breach had attended the medical center for cardiac ablation procedures between January 3, 2011 and December 11, 2017. Not all patients who attended the medical center for those procedures were impacted. Some patients had their data stored in other places.

The possible theft has been made known to law enforcement and investigations into the circumstances regarding the loss/theft of the hard drive are ongoing. A comprehensive search of the facility was completed although the device has now been officially classified as lost and patients are now being made aware the breach by mail.

The slowness in issuing breach notification letters was due to the time needed to search the facility and find out which patients’ PHI was saved on the device.

Despite the fact that  the types of data needed to commit identity theft were not exposed, all patients affected by the incident have been offered free identity theft monitoring and protection services for one year out of “an abundance of caution”.

President of Eastern Maine Medical Center Donna Russell-Cook commented “We take our commitment to uphold our patients’ privacy very seriously and are reviewing our processes to strengthen data security.”