Boston Children’s Hospital has released a press statement revealing a laptop issued to one of its staff member has been lost at a conference in Buenos Aires; possibly exposing the protected health records of 2,159 of its patients.
The laptop had basic security measures installed and access was secured via a password; however the data stored on the laptop was not encrypted. In accordance with federal law, all patients concerned have been advised with a breach notification by mail advising them of the security breach and detailing the information that could possibly have fallen into the hands of others. They have also been given guidance on how they can protect their identities and mitigate any damage caused. The breach notification letters were issued on May 22, 2012.
In the letter patients were told that their data was stored in a spreadsheet attached to an email and that the account was password protected. The information stored in the file included names, medical record numbers, diagnosis codes, procedures performed and dates of past surgery. Dates of birth were included, although no financial details such as credit card numbers or Social Security numbers had been disclosed in the loss.
No electronic health records or protected information was contained on the laptop’s hard drive, although the attachment was possibly accessible through the email program at the time the theft happened. It is therefore possible that the thief or the person in possession of the laptop could have seen, stored or copied the data. The investigation carried out by the hospital could not confirm whether this was the case, or if the attachment was in fact even accessible at the time of the theft.
Boston Children’s Hospital Senior Vice President for Information Services and its Chief Information Officer stated: “We take great measures to ensure that Protected Health Information is never inadvertently released, and we are undertaking additional steps to prevent breaches such as this in the future. We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and families.”
HIPAA violations must be made known to the media and patients need to be advised of any breach that involved their Protected Health Information potentially being exposed to allow them to take step to mitigate damage. The Office for Civil Rights of the Department of Health and Human Services must also be told of breaches involving the records of more than 500 people and it actively investigates the organizations concerned.
If the OCR review and finds the data breach was caused by failures to implement appropriate controls to safeguard ePHI, as demanded by the Health Insurance Portability and Accountability Act, it can issue substantial financial penalties for each breach.
