Archive for Unsecure PHI
A vendor employee is responsible for the theft of a hard drive exposed the PHI of 7,170 patients at University Hospitals in Cleveland, Fox 8 Cleveland reported on its website.
A third-party vendor was backing up University Hospitals’ data on hard drives while upgrading the academic medical center’s computers, according to the article. The hard drive was stolen from a vehicle owned by an employee of the vendor.
Information on the hard drive includes patient names, addresses, dates of birth, medical record numbers, insurance information, and treatment information, according to Fox 8 Cleveland. Social Security numbers for some patients may also have been stored on the hard drive. University Hospitals will strengthen its device security policies and encrypt its electronic devices, according to the article.
The theft of two password-protected laptops from a secure office at AHMC Healthcare, Inc., in California, compromised the PHI of 729,000 patients, according to a statement on the AHMC website. The laptops contained data for six AHMC hospitals.
The laptops contained patient names, insurance numbers, diagnosis/procedure codes, and insurance/patient payment information, according to the statement. Video surveillance showed the alleged thief breaking into a locked office October 12.
AHMC Healthcare recently contracted with a third-party auditing company to perform a security risk analysis and to expedite a policy to encrypt all laptops within the hospital group, according to the statement.
The Federal Trade Commission (FTC) announced in a press release that it has filed an administrative complaint against LabMD, Inc., a medical testing laboratory in Atlanta, for allegedly failing to protect consumer PHI.
The FTC alleges that LabMD exposed the billing information of more than 9,000 consumers when a spreadsheet containing names, dates of birth, Social Security numbers, health insurance provider information, and medical treatment codes was posted on a peer-to-peer file-sharing network. Identity thieves obtained the personal information of at least 500 LabMD consumers, including names, Social Security numbers, and some bank account information, according to the press release.
A University of Arizona Medical Center (UAMC) emergency department employee accidentally disclosed a patient’s PHI when uploading a photograph of her workstation on Facebook, according to Green Valley News and Sun. The employee’s computer screen, which displayed a patient’s PHI, was visible in the background of the photograph, Green Valley News and Sun reported. UAMC notified the patient of the incident, disciplined the employee, and re-trained emergency department employees with respect to privacy policies, the newspaper reported.
The employee removed the photograph from Facebook 30 minutes after posting it, but the damage was done. Four months after the photograph was posted, the patient received a phone call from the Department of Economic Security informing her that someone used her personal information to apply for food stamps, according to Green Valley News and Sun.
Using a workplan template and a checklist together can minimize the risk of disclosing PHI during multi-site research, advises BMC Medical Informatics and Decision Making.
The workplan template serves as a guide for programmers involved in multi-site programming to communicate how the program should run, what output the program creates, and whether that outcome may contain PHI. The checklist ensures the output meets expectations and does not contain unallowable PHI, according to the article.
Conducting healthcare research across multiple sites can often increase the risk of a privacy or security breach, according to the article. The multi-site researchers who wrote the paper concluded that data privacy tools should do the following:
- Allow for a range of permissible PHI
- Identify types of data protected by HIPAA
- Help analysts identify allowable PHI in a project and understand how they can protect that PHI during data transfer