The University of Mississippi Medical Center (UMMC) and the Mississippi State Department of Health are sending notification letters to nearly 1,500 people that the loss of a laptop computer triggered a patient data breach. The laptop in question does not appear to have been secured with full disk encryption software like AlertBoot.
Two Databases in One Laptop
According to a December 20 press release, a laptop (which I assume didn’t utilize disk encryption software) that was used by UMMC for research purposes was stolen on October 31. The computer in question contained two databases, each of them involving patient research (of course) and having varying amounts of protected health information (PHI).
The first database (DB), involving 1,400 people, contained the following:
[M]edical record numbers, age, sex, race, zip code and blinded lab results. The information did not include patient names, addresses, Social Security numbers, or any financial information. Though it is possible for patients to be identified, the odds of it occurring are extremely low based on how the information is labeled in the database.
The second DB is must smaller in scale, involving only 75 people. It was not specifically mentioned what type of data was involved, only that it was “sensitive protected health information.”
The information on the laptop was password-protected. But, password-protection is not really data security; there are many ways of getting around it.
Notification letters sent on December 19.
HITECH and Encryption Software
I’m not familiar with Mississippi law, so I don’t know if any state medical privacy laws were broken by this incident. However, I do know enough about HIPAA to note that this could be a HIPAA breach (and most certainly a reportable data breach under HITECH’s Breach Notification Rule).
Under HIPAA, you can technically have a data breach and still be in compliance. For example, if you have a computer in a locked room in a secure wing of the hospital with restricted access to authorized personnel only, and someone breaks into it (confirmable via security camera footage), and he makes off with the computer’s hard disk containing PHI…well, this isn’t really a HIPAA breach. A hospital is not required to have security levels comparable to Fort Knox. The hospital just needs to have adequate levels of security.
I kind of interpret it as a situation where the data loss cannot be considered “negligent.” Some guy going “Tom Cruise dangling from wires” and stealing a computer HDD is a data breach, but it’s not a HIPAA breach.
On the other hand, the current situation we’re discussing is not a “Mission: Improbable” escapade:
The laptop theft occurred when UMMC employees failed to follow departmental guidelines and left the laptop unsecured for a short period of time. Since then, disciplinary actions have been taken against the responsible employees.
Hm…I’m going to correct this to better reflect what happened: “Since then, disciplinary actions have been taken against the irresponsible employees.” There you go.
Snark aside, what does “left the laptop unsecured for a short period of time” mean? I’m guessing it wasn’t stolen from a car because the press release notes that it was stolen from the clinic:
A UMMC faculty member had been assigned a laptop for use in the studies. On Oct. 31, a UMMC employee reported that the laptop used for storing participants’ personal health information was stolen from the clinic.
Ho hum. On second reading, it could mean “stolen from the clinic” in the sense of possession and not location: if the laptop belonged to UMMC, it was stolen from the clinic and not from the employee, right? Even if it was stolen from a McDonald’s parking lot.
English grammar is a tricky thing. Anyhow, no matter how it’s interpreted, it appears that this one is definitely a HIPAA breach. It’ll only be a matter of time before it ends up on the HHS Wall of Shame.