Unencrypted Flash Drive Causes Data Breach At Fertility Clinic.


The University of Minnesota’s Reproductive Medicine Center has announced that a doctor lost information on 3,100 patients.  The information was contained in a USB flash drive that was used as a backup to a computer.  Contrary to the University of Minnesota regulations, this particular flash drive was not encrypted.


 


More specifically, the lost USB drive includes the details of infertility treatments for the patients, some of the records going as far back as 1999.  No financial information or Social Security numbers were included.  As things stand right now, anybody who finds the drive can access the information just by plugging it in to a computer.

 

The doctor involved in the matter is mortified, appropriately so, and sending letters of apology to the affected patients.  Naturally, instances such as this bring HIPPA regulation breaches to one’s mind.  I will not make any extensive commentary except to say that this obviously is in violation of that particular act.

 

What I just realized (I’m slow this way) is that letter of apology or not, this doctor is probably going to get sued.  Nothing surprising there.  However, I also know that doctors spend a considerable amount of their money buying insurance.  Medical lawsuits are big business.  Do doctors get any rebates on their insurance premiums for protecting their patient data?  Or is something like this totally separate from medical insurance—just like homeowner’s insurance doesn’t cover damages from flooding (and must be bought separately).

 

Because I think I see an alignment of interests in both industries that is quite synergistic.  With encryption, doctors and patients are protected in the event of theft.  And because they’re protected, a lawsuit would not be brought forth; or, if a doctor is sued anyway, chances are that the defendant would win—meaning insurance companies can keep their money.  And since there is a lower risk of financial payout to the disaffected party, insurance companies can lower their premiums, acting as a behavioral incentive for doctors to encrypt their data.  It probably would work better than writing up some policy on page twenty?five of a manual that nobody ever reads and expecting it to be followed.

 

It’s quite obvious that encryption is the best way to enforce patient confidentiality in a digital world.  What’s not so obvious is that encryption (something offered as a managed service by AlertBoot) is probably the easiest way to protect it as well—from the standpoint of total coverage, including random events such as thefts or the classic “we have no idea what happened to it—I guess it must have been stolen” cases.  I think not enough people are getting the message.  Perhaps a little cash intensive by medical insurance firms is in order.



Comments (0)


Let us know what you think