- Last Friday, the theft of laptops and tablets from the hospice office of Northwestern Memorial Hospital led to a breach of an undisclosed number of patient records. Now it’s the pilfering of a single laptop from an external vendor working with Hartford Hospital and VNA HealthCare that has close to 10,000 patients wondering what might become of their protected health information (PHI).
An employee from a data analytics firm Greenplum, a subsidiary of EMC Corp., was using the records as part of a quality improvement project about hospital readmissions. As reported by the Hartford Courant, the Greenplum employee notified police in San Mateo, CA, where the theft occurred, and investigations have now expanded to San Francisco. Internal investigations revealed by EMC and the healthcare organizations have shown no misuse of the PHI, but they have also indicated that the stolen laptop was not encrypted, itself a violation of EMC policy.
In the wake of the theft, EMC per the hospitals’ orders, has destroyed all other data it had on hand. The 7,461 VNI HealthCare and 2,097 Hartford Hospital patient records comprise:
• Social Security numbers
• Medicare and Medicaid numbers,
• Medical record numbers
• Diagnosis and treatment data
According to the joint release, both healthcare organizations, which became aware of the incident on June 26, have policies for ensuring that data in transmit and at rest is encrypted. However, the health data breach reveals how limited an organization is in defending its patients against a single point of failure outside the hospital — in this case, an external vendor. The hospitals will be providing affected patients with credit monitoring, fraud protection, and other support.
The three most recent health data breaches highlight the importance of safeguarding hardware containing PHI with not only physical protections but also software defenses (e.g., encryption).
• Beth Israel Deaconess data breach update
• Utah continues outreach in wake of health data breach
• Texas MD Anderson Cancer Center announces data breach
• Alaska DHSS pays the freight for ePHI security breach
• More on the South Shore Hospital health data breach