In a press release today, Cancer Care Group (Indianapolis, IN) announced that a laptop computer containing its computer server backup media was stolen from an employee’s locked care on July 19, 2012. The breach has potentially exposed the protected health information (PHI) or personally identifiable information (PII) of close to 55,000 individuals, including the organization’s own employees. The latest incident comes less than a month after Apria Healthcare reported a similar incident in Arizona where an employee’s car was broken into and a laptop containing information for 11,000 patients stolen.
Details about the theft, which was reported to the authorities, are still scarce. A spokesman for Cancer Care Group has indicated that the group doesn’t know if the contents of the backup media motivated the theft. Moreover, there is no indication that the theft has led to the authorized use of patient or employee data. These data comprise information include names, addresses, dates of birth, and Social Security numbers for both parties as well as medical and insurance information for patients and beneficiary, employment, or financial information for employees.
As a result of the health data breach, Cancer Care Group is reviewing its security measures although it’s unclear what safeguards were actually in place at the time of the theft. “Cancer Care Group is encrypting all mobile media, updating policies and procedures, upgrading data storage technology, and re-educating our workforce on safety with mobile media,” notes spokesman Clyde Lee, “Some of these steps already were underway at the time this incident occurred.”
Wouldn’t an organization that has encrypted its data make sure to indicate that clearly when news of a breach breaks? It seems unnecessary to broach the subject of encryption unless this protection were lacking from the stolen hardware. Given the tendency for employees to carry valuable patient information offsite, encryption is a logical choice for healthcare organizations. In the case of Cancer Care Group, that the employee had the ability to carry backup media outside the organization’s walls appears to be a serious administrative, let alone physical, oversight.
In the end, what’s going to motivate healthcare providers to put the necessary safeguards in place prior to an adverse event? Whatever’s on the table right now isn’t working. As of today, the breach has yet to be included on the Department of Health and Human Services list of breaches affecting 500 or more individuals, which is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.
Browse all our white papers by topic:
• Top technical safeguards for health data security
• Texas MD Anderson endures second data breach
• How can healthcare providers improve data security?
• Stolen laptop leads to health data breach at Apria Healthcare
• Summer of the Health Data Breach continues