Adult & Pediatric Dermatology, P.C., a dermatology practice with offices in Massachusetts and New Hampshire has announced a data breach. Over 2,000 people were affected when a USB flash drive was stolen from a car. A spokesperson declined to reveal whether full disk encryption like AlertBoot was used on the device.
Stolen from Employee’s Car
In what is an invariable theme, the data breach is tied to the break-in of a car. According to a statement, the vehicle was broken into on September 14. A computer bag was stolen. No need to guess where the USB drive was at the time of the burglary. Patient data for approximately 2,200 people was stored on the USB drive. Per the statement:
The data stolen included digital photographs of surgical skin cancer procedures, operation reports and copies of consultation letters to referring doctors, Smith said. The flash drive did not include Social Security numbers, credit card numbers, health insurance numbers, home phone numbers or home addresses. [metrowestdailynews.com]
Aside from declining to mention whether encryption software was used to protect the above, the company also declined to confirm if:
The loss of the above records was a HIPAA breach
Whether any protocols were broken
I can readily answer that, despite my not being a lawyer, that the above is a HIPAA breach, assuming that encryption was not used (which might not be a risky assumption. Those who use encryption are more than ready to admit to it. Why wouldn’t they? The data’s safe!)
Yes, It’s a HIPAA Breach
Actually, I shouldn’t have been so definite in my statement regarding HIPAA. After all, HIPAA doesn’t apply to all medical entities. For example, a doctor’s office that only does business on a cash-only basis wouldn’t be subject to HIPAA rules, as I understand it, so a data breach is just a data breach, not a HIPAA breach.
However, Adult & Pediatric Dermatology, P.C. has a “Notice of Privacy Practice” on their site and it’s quite obvious that they’ve got to abide by HIPAA.
The biggest clue, aside from the repeated use of the word “protected health information” is a footnote on the first page stating that “This Notice is prepared in accordance with the Health Insurance Portability and Accountability Act, 45 C.F.R. 164.520”.
As such, the loss of the USB disk full of information that affected 2,200 patients is definitely a HIPAA breach (they’re not denying that over 2,000 people were affected, right?).
But, even if A&P weren’t subject to HIPAA, Massachusetts has one of the most rigorous data breach laws in the fifty states.
Like, HIPAA, the MA data breach and security laws provide safe harbor if strong encryption software is used.
I don’t get it. A&P obviously knew about the different laws governing data security. It went through the trouble of drafting up a HIPAA notice that was featured prominently on their site (it took me less than 1 minute to find it out by clicking around). Yet, it appears that they didn’t quite look into the use of encryption?
On the other hand, what’s not to understand? Sometimes, employees are more than willing to ignore policies and other internal regulations. It could very well be that A&P did everything it could do but experienced a breach because of one errant employee. If it turns out that the USB drive was the employee’s own, and that employee was breaching protocol, then A&P shouldn’t be held responsible in the moral sense (although it will be held responsible in the legal sense. Under HIPAA, the owner of the data is responsible).