According to phiprivacy.net, NYU Langone Medical Center announced a data breach in June, a little before their July admission to another data breach that affected 8,400 people. Unlike the latter announcement, though, the June announcement appears to be somewhat outside of NYU’s control. It’s a shame that not everyone is getting the story on the importance of medical laptop data encryption, for it’s the one solution that would have prevented the data breach.
Laptop Stolen from Employee Car
It’s a recurring topic, this story of a laptop with sensitive data being stolen from an employee’s car. According to the NYU press release, the breach announced in June (which actually took place on April 25. I should note that HIPAA requires notifications within 60 calendar days, and it looks like NYU came very close to the deadline) arose from a vehicle burglary.
In California. (I don’t know whether NYU has a branch out in The Golden State but my guess is that the answer is “no”).
And while “the employee promptly filed a police report with the California police department and notified the Medical Center of the incident,” it hasn’t been explained why the computer was not protected with HIPAA-compliant encryption. After all, this is not the first time that NYU has had a data breach involving electronic PHI.
At first, I thought it was because the device was a personal one belonging to the employee who instigated the data breach, and thus NYU had limited control over what data it carried: “The use and storage of PHI on unencrypted personal devices is strictly prohibited and against Medical Center policy.” Then I realized that this particular statement could be one that had no bearing whatsoever on the case itself, and that the hospital was just giving a general description of their policies.
The fact that they would have another data breach nearly one month afterwards is certainly a coincidence but one that could very possibly lead the HHS/OCR to closely investigate the situation, as NYU Langone has had more than its fair share of incidents over the past five years.