The University of Rochester Medical Center has seen a third HIPAA breach, this one caused by the loss of an unencrypted USB drive by a physician, reports Healthcare IT News. The drive, which belonged to a resident, contained protected health information on 537 patients.
Officials with URMC say they have notified the 537 former orthopedic patients whose information was lost on the drive. Lost information included patients’ names, genders, ages, dates of birth, telephone numbers, medical record numbers, and more, though it didn’t include addresses, Social Security numbers or insurance information.
According to Healthcare IT News, the resident’s unencrypted, unprotected drive runs counter to URMC’s campus-wide policy. URMC requires physicians and staff to use only encrypted drives — the only kind which are stored in its on-campus computer center. The latest URMC security policy also requires all mobile devices to be password protected, encrypted, and to have a time-out if unattended.
In an effort to make sure further security breaches don’t occur, the health organization is re-educating its faculty and staff on its security policy, and plans an annual education series to reinforce this training, a hospital spokesperson told Healthcare IT News.
This is URMC’s third data breach involving more than 500 patients reported to HHS, the magazine reports. The previous two breaches, which involved PHI for nearly 3,500 patients, both took place in 2010. One of the two involved the loss of an encrypted portable electronic device.
In my experience most private practice docs understand they have to comply with HIPAA but choose not to. Most of the hospitalists I know/deal with think HIPAA is handled for them by others, and they can just work as they always have.
In the last paragraph it mentions one of the two previous breaches was the loss of an encrypted storage device.
Either they don’t understand that an encrypted storage device gives you safe harbor (don’t have to report it) or they had the password “taped” to the device or the entire device wasn’t encrypted so they couldn’t be 100% sure about the security
The majority of breaches are lost/stolen portable storage devices.
This is a SUPER EASY fix folks – encrypt the ENTIRE device, use a strong password and DO NOT have the password on the device.
Do this and you do not have to report this as a breach.
Additionally, we should see facilities with multiple breaches get increased fines.
[…] breaches affecting some 27 million individuals. This includes some institutions — such as the University of Rochester Medical Center — which have had to report multiple security […]