According to a recent Forrester Research brief entitled "Stolen and Lost Devices Are Putting Personal Healthcare Information at Risk," more than 41 percent of healthcare organizations haven't deployed endpoint encryption, despite the fact that about a third of healthcare employees work outside the office or clinic at least once a week.
"It's hard not to feel a level of excitement as [the] convergence of healthcare, mobile technology, and big data progresses at an accelerated rate," Forrester analyst Christopher Sherman wrote in a blog post discussing the findings. "However, with all of this new patient data being collected by insurance payers, medical providers, and third-party services, healthcare employee endpoints have become an especially vulnerable source of data loss."
And those types of incidents continue to happen on a disturbingly regular basis.
Ohio's Beachwood-Westlake Plastic Surgery recently began notifying 6,141 patients that their personal information may have been exposed when computers were stolen from the clinic's offices on June 19, 2014. The personal information potentially exposed includes patient names and "limited medical information" (h/t PHIprivacy.net).
"We have a security and surveillance system in place," practice manager Jessica Morris noted in a letter to patients. "Unfortunately, a cleaning crew failed to re-activate our system the night of the crime."
"We are acutely aware of the importance of your personal information and have taken a number of precautions to protect it," Morris added. "As you may know, we do not collect our patients' Social Security numbers. We also never store any credit card information in our office. We also believe that no data linking birth dates to names were compromised."
The Duke University Health System (DUHS) recently began notifying an undisclosed number of patients who had been treated at the Duke Children's Health Center and Lenox Baker Children's Hospital between December 2013 and June 2014 that their personal information may have been exposed when an unencrypted thumb drive was stolen from an administrative office on July 1, 2014 (h/t Becker's Health IT & CIO Review)
The thumb drive held spreadsheets containing the affected patients' names, medical record numbers, physicians' names, and in some cases the names of Duke University Hospital locations visited. "To help prevent something like this from happening in the future, we are enhancing our encryption processes and re-enforcing staff education on the use of encryption and the importance of handling patient information securely," DUHS said in a statement.
And the Health & Human Services Agency (HHSA) of California's Napa County recently began notifying an undisclosed number of clients of its In Home Supportive Services (IHSS) program that their personal information may have been exposed when a thumb drive was found to be missing from HHSA's offices on August 27, 2014.
"This discovery was made in the aftermath of the Napa earthquake on August 24, 2014, during the recovery and cleanup process; our offices were severely damaged and are not being occupied at this time," HHSA deputy director Kris K. Brown wrote in the notification letter [PDF].
The thumb drive held the affected clients' names, addresses, phone numbers and "limited information regarding your status as an IHSS program recipient," according to the letter.
"We are taking immediate steps to safeguard your personal information, including a policy that no information about you will be stored on any such device in the future even if it is in a locked office building," the letter states. "Additionally, we have implemented a corrective action plan as a result of this incident to enhance the safeguard that protect your personal information."
"If you're a CISO at a healthcare organization, endpoint data security must be a top priority in order to close this faucet of sensitive data," Forrester's Sherman advises. "Consequences will increasingly be more than just a mere slap on the wrist with fines, as consumers fight back."