Unencrypted Laptop HIPAA Breach Announced by Boston Children’s Hospital

by | May 24, 2012

Boston Children’s Hospital has released a press statement revealing a laptop issued to one of its staff member has been lost at a conference in Buenos Aires; possibly exposing the protected health records of 2,159 of its patients.

The laptop had basic security measures installed and access was secured via a password; however the data stored on the laptop was not encrypted. In accordance with federal law, all patients concerned have been advised with a breach notification by mail advising them of the security breach and detailing the information that could possibly have fallen into the hands of others. They have also been given guidance on how they can protect their identities and mitigate any damage caused. The breach notification letters were issued on May 22, 2012.

In the letter patients were told that their data was stored in a spreadsheet attached to an email and that the account was password protected. The information stored in the file included names, medical record numbers, diagnosis codes, procedures performed and dates of past surgery. Dates of birth were included, although no financial details such as credit card numbers or Social Security numbers had been disclosed in the loss.

No electronic health records or protected information was contained on the laptop’s hard drive, although the attachment was possibly accessible through the email program at the time the theft happened. It is therefore possible that the thief or the person in possession of the laptop could have seen, stored or copied the data. The investigation carried out by the hospital could not confirm whether this was the case, or if the attachment was in fact even accessible at the time of the theft.

Boston Children’s Hospital Senior Vice President for Information Services and its Chief Information Officer stated: “We take great measures to ensure that Protected Health Information is never inadvertently released, and we are undertaking additional steps to prevent breaches such as this in the future. We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and families.”

HIPAA violations must be made known to the media and patients need to be advised of any breach that involved their Protected Health Information potentially being exposed to allow them to take step to mitigate damage. The Office for Civil Rights of the Department of Health and Human Services must also be told of breaches involving the records of more than 500 people and it actively investigates the organizations concerned.

If the OCR review and finds the data breach was caused by failures to implement appropriate controls to safeguard ePHI, as demanded by the Health Insurance Portability and Accountability Act, it can issue substantial financial penalties for each breach.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy