Lebanon Internal Medicine Associates (LIMA) in Pennsylvania has announced a data breach that is ultimately tied to flooding. The use of full disk encryption like AlertBoot could have averted this scenario. On the other hand, how often do you get a breach from a flood?
Blame Tropical Storm Lee, Contractors
LIMA wrote to notification letters to those affected by the breach and posted the notice on their site. According to the letter, the breach occurred on September 12 “during the cleanup of severe flooding [caused by Tropical Storm Lee] which affected Lebanon, Pennsylvania.” The breach was discovered on October 18.
What happened? Over 100,000 gallons of water flooded LIMA’s laboratory, which contained, among other things, a computer being used as a file server. This computer was flooded as well, and “rendered inoperable.” A contractor, hired to clear out the mess, disposed of it.
Of course, chances are that the patient health information (PHI) on the machine is safe due to the flooding. Plus, LIMA notes that there were “multiple pre-existing security measures” used on the server. So, everything’s cool, right? Not quite.
HIPAA / HITECH Breach Notification Rule
The data in the computer ranges from November 1999 to August 25, 2011. It includes patients’ names, SSNs, dates of birth, home address, account numbers (although it’s not specified what kind of account), diagnoses, lab test results, and medical insurance information.
We can infer and assume a number of things from the breach notification letter. First, chances are that over 500 people were affected by this. For starters, it’s a central file server. That, by definition, implies lots of records were stored in it. Plus, HITECH’s rules require that a breached entity go public with the breach if more than 500 patients are affected.
Second, the computer probably did not make use of encryption software. Encryption of PHI is the one get-out-of-jail card under the Breach Notification Rule. The fact that LIMA is following the exact protocol of a company that has not used encryption speaks volumes. Plus, there is the added fact that most won’t use full disk encryption software on a central server, quoting slower access times and whatnot.
It’s quite unfortunate for LIMA. Who’d have thought that a flood, of all things, would be the reason why you’re announcing a data breach to the world, right?
It’s Happened Before
The announcement of a HIPAA breach due to a flood is not unprecedented. Nearly 15 months ago, I put a post about another HIPAA-covered entity that had to report a breach because of flooding.
Related Articles and Sites: