URMC Faces Third HIPAA Breach

Posted on May 7, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The University of Rochester Medical Center has seen a third HIPAA breach, this one caused by the loss of an unencrypted USB drive by a physician, reports Healthcare IT News.  The drive, which belonged to a resident, contained protected health information on 537 patients.

Officials with URMC say they have notified the 537 former orthopedic patients whose information was lost on the drive.  Lost information included patients’ names, genders, ages, dates of birth, telephone numbers, medical record numbers, and more, though it didn’t include addresses, Social Security numbers or insurance information.

According to Healthcare IT News, the resident’s unencrypted, unprotected drive runs counter to URMC’s campus-wide policy. URMC requires physicians and staff to use only encrypted drives — the only kind which are stored in its on-campus computer center.  The latest URMC security policy also requires all mobile devices to be password protected, encrypted, and to have a time-out if unattended.

In an effort to make sure further security breaches don’t occur, the health organization is re-educating its faculty and staff on its security policy, and plans an annual education series to reinforce this training, a hospital spokesperson told Healthcare IT News.

This is URMC’s third data breach involving more than 500 patients reported to HHS, the magazine reports. The previous two breaches, which involved PHI for nearly 3,500 patients, both took place in 2010.  One of the two involved the loss of an encrypted portable electronic device.