Employee’s Loss of Unencrypted Thumb Drive Compromises PHI for Thousands of Nevada Medical Center Patients
A thumb drive containing the names, diagnoses, medical record numbers, clinical information, admission dates, and names of physicians of patients receiving inpatient services at a Nevada Medical Center between January 1, 2012 and June 14, 2019 was reported to have been lost on June 30, 2019. The employee who reported the lost drive was questioned, and an intensive search was made without finding the device.
The affected patients are being mailed notification letters by the medical center about the extent of the breach and what protected health information (PHI) it contained. The affected patients have been told that there has been no indication that the information was misused and that no Social Security numbers or financial data was on the drive; therefore, the notification letter does not contain an offer of protective services like credit monitoring and identity theft protection. The letter did include general information about how patients can protect their electronic information.
The medical center recommended that patients review the statements they receive from their healthcare providers and gave this advice: “If you see services you did not receive, please contact the provider immediately.”
While the medical center refused to comment on the number of patients involved in the breach, other sources reported the number to be 27,004 patients. The medical center reported that it is “reviewing its policy on portable devices, such as thumb drives, and providing additional employee education on safeguarding patient information.”
Compliance Perspective
Allowing employees to use unencrypted thumb drives that may be misplaced or lost, exposing protected health information of the patients/residents receiving services from the facility, may be deemed a breach of residents’ rights to personal privacy and confidentiality of their records and may be considered provision of substandard quality of care, in violation of state and federal regulations.
Discussion Points:
- Review policies and procedures regarding protecting patients/residents’ rights to privacy and confidentiality of their records, and the risks involved with the use of portable devices–particularly devices where the information is not encrypted.
- Train staff on policies and procedures regarding patients/residents’ rights to privacy and confidentiality of their records and the use of portable devices containing unencrypted PHI.
- Periodically audit staff responsible for the protected health information of patients/residents to ensure that they are following protocols for preventing breaches of PHI.