St. Luke’s Cornwall Hospital has released a media declaration providing more information on the 29,156-record data infringement that happened on October 31, 2015. The hospital has clarified that the infringement happened when an unknown person entered a top-secret space of the hospital and thieved a thumb drive having a limited amount of patient data.
The device was unencrypted as well as contained patient names, medical record numbers, details of imaging services provided, as well as the dates of patient visits. Some administration information was also saved on the thumb drive, though no health information, insurance details, financial information, or Social Security numbers were compromised.
Although the case was discovered swiftly, the hospital had to carry out an inquiry to establish the precise data that were saved on the thumb drive and which patients were affected. The inquiry has now been finished and patients have been informed of the infringement of their saved health information by mail. The Division of Health and Human Services’ Office for Civil Privileges was informed of the data infringement on December 30, 2015.
Even though just limited patient data were revealed and the danger of people suffering financial losses or identify thievery as a consequence of the infringement is comparatively low, out of a profusion of care St. Luke’s Cornwall Hospital is delivering affected patients with identity thievery recovery services for one year without a fee.
The security infringement has encouraged St. Luke’s Cornwall Hospital to modify its rules on data encryption. All USB drives utilized by the hospital will now need a password in order to access data, as well as the devices will also contain patient data encrypted.
The usage of thumb drives as well as other moveable storage devices carries a data safety risk because they can all too easily be stolen or lost. To decrease the danger of more security incidents of this type, St. Luke’s will be employing IT systems that let data access without the usage of thumb drives.
OCR Takes Action over Moveable Device Thievery
Office for Civil Privileges has been cracking down on HIPAA-covered individuals who have suffered data infringements as a consequence of moveable storage devices being stolen or lost. Many settlements have been reached with companies for possible HIPAA infringements that resulted in the loss of moveable devices as well as the revelation of ePHI.
| Covered Entity | infringement Type | Records Revealed | Date | Settlement Amount |
| Cancer Care Group, P.C. | Thievery of Laptop/Unencrypted Backup Media | 55,000 | September, 2015 | $750,000 |
| St. Elizabeth Medical Center | Thievery of Flash Drive | 595 | July, 2015 | $218,400 |
| Adult & Pediatric Dermatology, P.C. | Thievery of Flash Drive | 2,200 | December, 2013 | $150,000 |
| Alaska DHSS | Thievery of USB Hard Drive | 2,000 | June, 2012 | $1,700,000 |
