A laptop computer with information on 3,192 people was lost by a physician at the Indiana University School of Medicine. Laptop encryption software like AlertBoot was not used to protect the data. The incident, undoubtedly, triggered a HIPAA data breach and it’s a matter of time before we see the incident show upon the HHS’s wall of shame.
Laptop Stolen from a Car
Indiana University started sending out breach notification letters on September 2 to over 3,000 individuals. A laptop computer used for research purposes by a physician at the Department of Surgery was stolen from the physician’s car.
The breached data included names, ages, sex, diagnoses, and medical record numbers. There are two FAQs present at the UI site. In one, the university’s FAQ on the issue keeps repeating that SSNs were not included. In the other, it states that SSNs were compromised. The university’s webpage publicizing the incident claims that Social Security numbers were included for 178 people. (The dual FAQ is slightly confusing if you’re speed reading through the page).
The breached protected health information included patient data between 1980 and 2009.
Password-protection was present, but the university has made it clear that the password-protection was not tied to encryption software, meaning that anyone with the mental faculty to google the words “bypass password” could get around this supposed “protection.”
Read the Comments
The article covering the above at the Isite has a number of comments from readers. Some of these quickly point out that the use of laptop encryption should have been required.
Others note that IU had a HIPAA breach due to the lack of encryption. Technically, that’s not correct: HIPAA does not require the use of encryption software. However, it does require a HIPAA-covered entity to publicize a data breach if confidential patient information is involved in a data breach unless strong encryption was used.
The fact that Indiana University went on to publicize the breach indicates, more likely than not, that encryption was not used. Had they used disk encryption on medical laptops, we probably wouldn’t be hearing about this incident. (And from a pragmatic and realistic point of view, there wouldn’t be anything to report — the data would be safe).
One thing that hit me over the head was this comment:
A research study is not front line health care, and the SSN more than likely was needed for patient compensation. Some of the research projects at IU pay up to $1000. [MetroDad61, indystar.com]
I’ve often brought up the weird fact that researchers have SSNs and medical record numbers in their data. If you have one you really don’t need the other (as an identifier), and the presence of SSNs being the more controversial of the two, one would imagine that SSNs would be dropped.
The above gives us a reason why researchers have SSNs within their records, but a quick overview of how hospitals work doesn’t quite support it. I mean, would the hospital’s accounting department be cutting out the checks to the volunteers, or would it be up to the researcher to do so? I’m guessing it’s the former, so paid-volunteerism doesn’t quite cut it.
HIPAA has guidelines for medical research. As far as I know, they encourage the use of anonymized data and, if necessary, to create trackers to be used instead of SSNs (that last one might be a requirement, actually).
Related Articles and Sites: