Healthcare News & Insights

4,000 patients’ protected health information stolen from doctor’s personal laptop

Here’s yet another reminder that healthcare organizations must take care to secure patients’ protected health information (PHI) when it’s held on laptops and other mobile devices. 

Beth Israel Deaconess Medical Center in Boston recently reported a breach in which information about 3,900 patients may have been compromised after a laptop computer holding the data was stolen from the hospital.

All hospital-owned computers and devices are encrypted to protect patients’ information. However, the laptop that was stolen was a doctor’s personal computer that he was using for office work, and it wasn’t encrypted.

Fortunately, the computer didn’t contain any Social Security numbers, financial information, or complete medical records, and an investigation conducted by an outside forensic firm found no indication that any of the stolen data had been misused, the Boston Globe reports.

Hospital officials called the breach a “teachable moment” — and the incident can teach other healthcare organizations a lesson, as well.

Most importantly, hospitals and practices must learn to adapt to the recent trend of IT consumerization that is taking hold in healthcare and other industries. Doctors and staff members are increasingly using personal devices to do their work, and as this incident shows, organizations need to keep that from threatening the security of protected health information.

One option is forbidding the use of personal devices for work. However, that’s becoming more difficult and uncommon for organizations to do, as 85% of hospitals allow the use of personal devices, according to one survey.

Instead, Beth Israel is taking a different approach. Officials said the breach has prompted a policy change, and the hospital is instituting a mandatory encryption program. If employees wish to use personal devices to access any data, either patient-related or administrative, they must first bring the device to the hospital’s IT team so it can be encrypted. IT will also make sure the device has appropriate anti-virus protection and software that is fully patched.

That’s one step organizations allowing personal devices must take to secure patients’ protected health information.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.