Loyola University Medical Center has begun notifying patients about the theft of a flashdrive from an employee’s car. The USB device did not make use of drive encryption, potentially exposing protected health information.
The USB flashdrive was stolen from an employee’s car, along with a number of other items. The incident sounds like a smash-and-grab, which implies that the flashdrive was not the target of the break-in; however, this does not mean that the contents of the flashdrive are safe from prying eyes: one can make the argument that, for example, laptops are wiped clean of their data and sold as quickly as possible because thieves don’t want to be caught with a hot item; however, that’s only true because laptops are visible to the naked eye.
Who’s going to be as concerned about a small item such as a flashdrive? One might decide to keep it around, in his drawer, and wait to see what’s in that thing. And, when that happens, bonanza! because the missing flash device contained names, addresses, phone numbers, dates of birth, and Social Security numbers.
It’s not known how many patients were affected; the hospital declined to give out any particulars other than that less than 100 patients were involved.
One of the recurring questions that I hear when medical information is breached is “what was my information doing on a thumbdrive?” Well, the medical center has an answer for that:
Loyola says employees need access to transplant patient information at all times. In a statement, a spokesman says: “We are reviewing our portable electronic device policy and re-educating employees about securing information. We also are assisting the affected patients to protect against any possible unauthorized use of their information.” [wgntv.com]
I can see the argument there. If you suddenly need to do a transplant, having the information with you always beats waiting for it to download, or to be sent from some central repository, etc. On the other hand, why’s a SSN necessary for a transplant? It might be necessary for billing purposes, but for an actual transplant?
That doesn’t make sense at all. I’d be grateful if anyone out there can illuminate on the importance of SSNs being present for a transplant surgery. For example, do doctors use SSNs as another identifier to ensure that they’re operating on the correct patient?
HIPAA / HITECH Breach Even Before It was Stolen
Another thing that doesn’t make sense is that, even without the breach incident, carrying around protected health information (PHI) on a flash drive — which was not protected with encryption software — is a clear violation of HIPAA.
I mean, how can you justify compliance with the Security Rule under such circumstances? You’ve got a violation of the Physical Safeguards section (access control); a violation of the Technical Safeguards section (access control, person authentication, data security); and possibly a violation of the Administrative Safeguards section.
I guess you could argue that the USB memory device belonged to someone, so that takes care of the access control and authentication (only the owner will access it); and that the person used to be an ex-Navy SEAL, so that takes care of the data security…but would the argument stick when audited?
If flashdrive encryption was used, though, there would be no HIPAA violation. For starters, data security is ensured because only those with the correct password would be able to access the information, which takes care of the access control as well. So, despite not having proper “physical security” (it’s a USB drive, after all) a hospital would be in compliance with HIPAA. I imagine that the Administrative Safeguard is also met because I’m assuming the hospital would have given the password to the right people only.
I just don’t see what there is to “review” on Loyola’s part; things should have been in place since day one. If it’s necessary for transplant information to be on an employee’s body at all times — say, as a hospital policy — then you also have to come up with ways to ensure ePHI is secure in those instances as well (hint: encryption). You can’t just shove the responsibility on employees by educating them and calling it a day. Given enough time, things are bound to get lost. Or stolen.
Related Articles and Sites: