Healthcare News & Insights

The basic practice that could have prevented 2 big HIPAA breaches

More than 730,000 patients recently had their personal information compromised by criminals in two separate incidents targeting hospitals. They both could have been avoided if those organizations had followed a single basic procedure: 

computer_lockEncrypting all portable computing devices that hold patients’ protected health information.

AHMC Healthcare, which runs six hospitals in California, was recently the target of one of the biggest healthcare data breaches ever reported. The organization recently notified 729,000 patients that their personal information may have been compromised.

The source of the breach: Two laptops containing the information were stolen from an office on October 12.

It’s unclear how the thief got away with it when the office, as AHMC officials said, was being patrolled by security officers and subject to video surveillance.

Despite those precautions, the organization failed to take another security step, which could have greatly limited the impact of the theft. The laptops weren’t encrypted, which means that whoever ends up with the machines won’t have an hard time getting into them and accessing all of the data they contain. That information includes patient names, diagnoses, Medicare data and insurance information.

If the laptops were encrypted, AHMC would have suffered the loss of the equipment and some other problems. But since the data was left unprotected, the incident became a reportable breach and all of the patients with information on the computers had to be notified.

Reputations on the line

A similar incident happened recently at Tennessee-based HOPE Family Health. In this case, 8,000 patient records were possibly compromised after a laptop used for work was stolen from an employee’s home.

The laptop, which contained patient names, addresses, Social security numbers and billing records, was also not encrypted.

The good news is that in incidents like these, the information isn’t likely to be used to commit medical identity theft or other types of fraud. Often, the equipment itself is the target of the theft.

But even when the unencrypted data is never used maliciously, hospitals still suffer the consequences if it’s stolen, particular in terms of the organization’s reputation and its ability to attract and keep patients. Increasingly, consumers are worrying about how organizations will protect their personal information and their level of trust in the privacy of their data is having an impact on their decisions.

These incidents have their respective hospitals scrambling to change their policies and practices. AHMC officials said the group was “expediting a policy of encrypting all laptops,” while HOPE is now requiring employees to store data on an encrypted server rather than individual PCs. Of course, in light of the number of healthcare data breaches caused by lost or stolen devices, all organizations should be taking those steps already.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.