Lost Laptop Leaves Patients Vulnerable to Data Breach

A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing. The laptop is thought to have stored protected health information (PHI) of patients of the clinic, and its loss raises the possibility of the exposure of this sensitive patient information.

The laptop was paired with a hematology analyzer and stored data related to hematology tests. The laptop was in use between April 2013 and May 2016, but was decommissioned when the device became unusable. The laptop, which had been supplied by a vendor, was replaced. However, when a routine equipment inventory was performed, it was discovered that the device was missing.

The device should have been returned to the vendor shortly after it was decommissioned. Employees at the facility contacted the vendor to see if they had the laptop, but there was no record of the laptop ever being recalled from MGVAMC. A full search of the medical center was conducted but the laptop could not be located.

MGVAMC stated that it was not possible to tell exactly what information had been stored on the device, or the exact number of patients whose protected health information may have been exposed. The healthcare organisation concluded that all patients who submitted samples for hematology tests during the dates that the laptop was in use could have had their data stored on the device, and therefore were at risk of their PHI being used for malicious purposes.

The types of information stored on the device would have included names, dates of birth, and Social Security numbers according to a statement issued by MGVAMC. Approximately 3,275 patients have been identified as potentially having been impacted. In accordance with HIPAA’s Breach Notification Rules, they have been notified of the possible breach. Where applicable, patients will be offered credit monitoring and identity theft protection services.

Whenever equipment containing electronic protected health information is decommissioned, HIPAA-covered entities must ensure all data is rendered unreadable, indecipherable, and otherwise cannot be reconstructed.

The physical safeguards stipulated in the HIPAA Security Rule – 45 CFR 164.310(d)(2)(i) – require covered entities to implement policies and procedures to address the final disposition of ePHI and/or the hardware on which it is stored, while 45 CFR 164.310(d)(2)(ii) requires covered entities to implement procedures for the removal of ePHI from electronic media before the media are made available for re-use.

When devices have been decommissioned for use, OCR recommends “clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding). If devices are supplied by vendors, the method for clearing the devices prior to decommissioning should be discussed with the vendor and policies developed accordingly.

In response to this incident, the Mann-Grandstaff VA has developed a new policy for sanitizing electronic media prior to disposal, decommissioning, or returning devices to suppliers to prevent further potential breaches of ePHI.