An employee of Renown Health, the largest healthcare provider in Nevada, lost an unencrypted thumb drive containing the protected health information (PHI) of 27,004 patients, resulting in a healthcare breach. Compromised PHI included patient names, medical record numbers, diagnoses, dates of admission, physician’s names, and clinical information. Individuals affected by the breach were patients at Renown South Meadows Medical Center that were seen between January 1, 2012 and June 14, 2019.
The employee notified Renown Health of the lost device on June 30, 2019. The organization conducted an investigation, including interviewing the employee that lost the device. Upon completion of the investigation, the device could not be found. Renown Health is notifying affected patients and reviewing their policies and procedures in regards to the use of portable storage devices.
Asset Management Prevents Healthcare Breaches
The Department of Health and Human Services (HHS) requires healthcare organizations to implement an asset management plan. As part of asset management organizations create a log of devices, who uses them, and what security measures protect that device. Asset management can prevent healthcare breaches, as organizations can determine which devices are safe to remove from an organization’s physical site.
It is recommended that unencrypted devices transmitting, storing, or maintaining PHI, remain onsite. Removable devices storing PHI should be encrypted if they are to be removed from an organization’s physical site. This ensures that if the device is lost or stolen, PHI will be unreadable. PHI is more valuable on the darkweb than an individual’s financial information as the wealth of information collected for health reasons is vast.
PHI collected by healthcare organizations may include:
- Address (including street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
Healthcare breaches have become commonplace, as such healthcare organizations and the vendors that service them must be diligent in their efforts to secure protected health information.
Need assistance with HIPAA compliance?
Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our expert Compliance Coaches™ will guide you through our implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.