'This error brought to light a vulnerability in our system'
Perhaps CD-ROMs are not the best storage media when it comes to safeguarding the health information of your patients – especially when one of your staff members accidentally donates them to a children's art project, as what recently happened at a Virginia-based health system.
Patients seen at the Virginia Commonwealth University Health System are getting HIPAA breach notification letters this month, after one of the organization's employees donated CDs containing reams of protected health information, Social Security numbers, dates of birth and demographic data to an art program for children.
Health system officials, who discovered the breach back in October, said the staff member acted against the organization's policy to properly dispose of the storage media. VCUHS has since recovered some of the CDs containing the patient data. When asked how many patients were affected by the breach, VCUHS officials did not respond by publication time.
[See also: Does encryption cover all HIPAA bases?.]
"What began as a well-intentioned philanthropic effort by a staff member wanting to help turned into a serious mistake that we are working very hard to remedy," said John Duval, chief executive officer of MCV Hospitals and Clinics, in a Dec. 15 statement publicly announcing the breach. "This error brought to light a vulnerability in our system that developed over time and that we are working to correct, and we are deeply sorry for the inconvenience this may have caused some of our patients."
Duval assured patients that the health system has updated its policies pertaining to media destruction and will "redouble its efforts to protect all sensitive information."
No surprise here: this appears to be a first for donating unencrypted CDs containing PHI to children – at least according to reports. But failing to properly dispose of storage media such as CDs is unfortunately common among healthcare organizations and their business associates.
Lincoln Medical and Mental Health Center in New York, for example, notified more than 130,000 of its patients after its business associate Siemens Medical Solutions, shipped unencrypted CDs containing PHI to the hospital, when they were subsequently lost in transit.
[See also: Why does healthcare resist encryption? .]
Just in September, patients seen at Jersey City Medical Center were notified that their PHI was also compromised in a HIPAA breach after unencrypted CDs was mailed via UPS to an outside company. And, naturally, the CDs never arrived.
Considering the loss or theft of encrypted devices, storage media or computers accounts for the lion's share of HIPAA privacy and security breaches reported to the Department of Health and Human Services – some 70 percent, in fact – there's one key takeaway healthcare organizations can take to the bank.
"Encrypt; encrypt; encrypt," said Lynn Sessions, partner at BakerHostetler, who focuses on healthcare privacy, in an interview with Healthcare IT News this spring. "It's a safe harbor for the HIPAA breach notification requirements, but that still fails to motivate some."
[See also: HHS slaps provider with $150K bill for HIPAA breach.]
Indeed, the Office for Civil Rights, the HHS division responsible for HIPAA enforcement, has repeatedly echoed similar sentiments."Pay attention to encryption, for any devices that can leave the office," said former OCR deputy director for health information privacy Susan McAndrew at HIMSS14 this past February.
Nearly 42 million people have had their protected health information compromised in reportable HIPAA privacy and security breaches since 2009, according to OCR data.
Topic:
