Full Disk Encryption: Georgia Health Sciences University Announces Breach.

According to a number of sources, Georgia Health Sciences University (GHSU) is notifying 513 patients that their medical data was breached when a nurse practitioner’s computer was stolen.  It’s not mentioned whether laptop encryption software like AlertBoot was used, but it’s quite apparent that they didn’t.

Laptop Computer Stolen from Nurse’s Home

According to GHSU’s press release:

On Jan. 18, a nurse practitioner who works in sickle cell clinics across Georgia, including the Georgia Health Sciences Adult Sickle Cell Clinic, had a laptop computer stolen from her home. The information in the records on the laptop was limited to name, date of birth, limited diagnosis information and an internal code associated with the patient’s laboratory tests. The records did not include addresses, Social Security numbers or financial information.

The statement is short and direct.  And yet, the language is not as clear as it could be.  Take for example when GHSU states that the nurse practitioner “works in sickle cell clinics across Georgia.”

Does this mean that she also may have had PHI from other clinics that are not associated with GHSU?  A Google search for “Georgia sickle cell clinic” also turns up the Georgia Comprehensive Sickle Cell Center at Grady (Emory University) as a competitor.  There may be others, although these two appear to be the heavyweights when it comes to sickle cell disease treatments in the “Peach State.”

Or is GHSU letting readers know that she moved with the GHSU system, from clinic to clinic?  If so, perhaps GHSU was indirectly justifying why the nurse practitioner had a computer with patient data in her home.

Which brings up another question: was the stolen laptop issued by GHSU or was it the nurse practitioner’s personal laptop?  I’m willing to bet it’s the former, although, with today’s BYOD trend, I wouldn’t be surprised if it was the latter.

Regardless, it would have been ideal if encryption software had been used to protect the contents of the now-stolen computer.  In fact, it’s almost a requirement, actually.  Was it used?  It doesn’t look like it, since HIPAA / HITECH grants safe harbor from the Breach Notification Rule if patient data is encrypted.

Why Use Encryption on Medical Laptops?

There are a number of reasons why laptop encryption should have been used in the above case.  First, there is the fact that any medical organization should put patient confidentiality at the top of their list for moral, ethical, and legal reasons.  This alone means that, at the least, basic (but good, strong) security should be implemented.

Second, thousands of PHI data breaches are reported to the HHS every year (the list at the “Wall of Shame” represents a much smaller subset that involves 500 or more patients).  It’s a statistical certainty that, if you are a large medical organization, you will see a PHI breach from stolen or missing devices in, oh, say, 5 years.  Of course, no one can tell you which specific device will be causing the headache.  That’s why you encrypt them all.

Third, the Department of Health and Human Services recently fined BlueCross BlueShield of Tennessee a record $1.5 million for a data breach.  It involved one million people, so it might appear that GHSU’s 513 patients couldn’t possibly bring that level of pain.  After all, it’s $1.50 per patient, right?

Except that HHS is limited from handing out no more than $1.5 million in monetary penalties to a specific organization in a given year.  Aside from this artificial limit, there is nothing preventing HHS from assigning a value of $150 per patient, which means the loss of 500 patients’ PHI would lead to a $75,000 fine.  For one laptop.

Disk encryption on laptops with medical data is a very good thing.

Related Articles and Sites:

Comments (0)

Let us know what you think