Lost, Stolen Unencrypted Devices Expose PHI Nationwide

In three separate cases, doctors and hospitals recently announced that patient data had been been put at risk due to the loss or theft of unencrypted devices.

Ohio’s Akron Children’s Hospital recently announced that “a device containing backup transport voice recordings” was found to be missing on June 30, 2015.

The device held audio recordings of communications between dispatchers and medical staff at community hospitals, physicians’ offices and emergency departments between September 18, 2014 and June 3, 2015.

Some of the recordings included protected health information such as patient names, ages, genders, birthdates, medical record numbers, location, transfer times, physician names, and medical complaints.

WFMJ reports that the device, a hard drive, held information on 7,664 patients.

While the hospital says it has no evidence the recordings have been accessed or misused and doesn’t believe patients are at risk for identity theft, it sent notification letters to all affected families on August 21, 2015. Families with questions are advised to contact (866) 329-5860.

“Akron Children’s Hospital is committed to maintaining our patients’ health information in a secure and confidential manner,” the hospital said in a statement. “To prevent similar incidents, we have taken steps to ensure all mobile devices are encrypted and we no longer store transport voice recordings on mobile devices.”

California psychiatrist Dr. Robert E. Soper recent began notifying patients that their personal information may have been exposed when his car was broken into and an “older office desktop I planned to give to my brother” was stolen on June 27, 2015 (h/t DataBreaches.net).

The computer held patient names, birthdates, emails, clinical notes, and some phone numbers. “Because that data has now been compromised, I owe each of you a personal apology,” Soper wrote in the notification letter [PDF] to those affected.

“I am very sorry that this has happened with information that I am responsible for protecting,” Soper added. “We have taken additional steps at the office to protect your data further.”

And Massachusetts’ Lawrence General Hospital announced earlier this month that an unencrypted thumb drive containing patient information was found to be missing from an office in a secured hospital lab on June 9, 2015.

The drive, which was last used in the lab on June 6, held patient names, laboratory test codes and slide identification numbers. No other medical information was included.

DataBreaches.net reports that 2,071 patients are affected. The hospital sent notification letters to all affected patients on August 7, 2015.

“Lawrence General has extensive policies and procedures governing the security of patient health information, including the use of portable data storage devices, like thumb drives,” the hospital said in a statement. “In response to this incident, the hospital is reinforcing the staff training and education regarding the importance of handling patient health information securely.”

Recent eSecurity Planet articles have examined the importance of offering security training to employees and offered six tips for stronger encryption.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Top Cybersecurity Companies

Related articles