Stolen USBs Result in Breach of PHI

The Man-Grandstaff VA Medical Center in Spokane, WA has announced that it has experienced a breach of PHI. The breach was a result of the theft of two USB drives, which contained the protected health information of almost 2,000 veterans. The devices were stolen on July 18, 2017 from a contract employee while on a service call to a VA hospital in Oklahoma City.

The two devices were being used to store data from a standalone, non-networked server that was in the process of being decommissioned. One of the devices was the “master drive”, and was used to move the medical center’s Anesthesia Record Keeper database to its virtual archive server. According to a statement issued by the medical center, that transfer had taken place in January. However, the database was still on the drive, despite the months that had elapsed since the transfer.

Man-Grandstaff VA Medical Center was not able to determine the exact details of the information which was stored on the USB drives. The database on the virtual archive server-which had the same information as the USB-was checked and found to contain full names, addresses, phone numbers, surgical information, insurance information, and Social Security numbers.

The healthcare centre has identified 1,915 individuals who have potentially been affected. In accordance with HIPAA’s Breach Notification Rule, they are being notified of the breach by mail. In compensation for the error, the affected patients have been offered credit monitoring services for 12 months without charge.

In September, the same medical center announced another data breach had occurred. An unencrypted laptop computer that was used as an interface with a hematology analyzer was discovered to be missing. The data on the laptop included names, dates of birth, and the Social Security numbers of approximately 3,200 veterans. Following that breach, the medical center implemented a system that allows devices to be remotely wiped of all PHI in the event of loss or theft.

While transporting or storing data on small portable devices such as USB, pen, or zip drives is convenient, the devices are easily misplaced, lost, or stolen. Although not the fault of a HIPAA covered entity (CE), the loss of a USB drive containing PHI is a reportable breach. As the USB is unlikely to be encrypted, the breach could potentially result in a significant regulatory fine.

There are now many cloud-based storage options that allow data to be easily accessed and shared. Covered entities still using these small portable devices to store PHI should consider banning the use of the devices and switching to HIPAA-compliant cloud-storage. It is important to note that, although the cloud-based servers themselves comply with HIPAA, it is important to take steps to ensure that employees know how to use the services in a manner which is not in violation of HIPAA.

Prior to using any cloud storage service, HIPAA covered entities should obtain a signed, HIPAA-compliant business associate agreement and train employees on the correct use of the storage platform. Alternatively, secure, HIPAA-compliant text messaging platforms can be used to share PHI securely between members of the organisation.

If the use of USB drives is unavoidable, any PHI stored on the devices should be encrypted to prevent unauthorized access in the event of loss or theft, or an alternative security measure that provides an equivalent level of protection.