A laptop computer, no longer in use, owned by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has gone missing, potentially leading to the exposure of sensitive patient data.
The laptop was linked to a hematology analyzer and held data related to hematology tests. The laptop was in operation between April 2013 and May 2016, but was put out of use when the device became unusable. The laptop, which had been purchased from a vendor, was replaced; however, an equipment inventory showed the device to be missing.
The device should have been returned to the vendor it was purchased from, although the vendor has no record of the laptop ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab found the device was missing. A complete search of the medical center was carried out but the laptop could not be found.
It was not possible to tell exactly what data had been stored on the device, or the exact number of patients whose protected health information may have been obtained. MGVAMC concluded all patients who submitted samples for hematology tests during the dates that the laptop was in use possibly had data exposed.
The types of information held on the device would have included names, dates of birth, and Social Security numbers according to a statement released by MGVAMC. 3,275 patients have potentially been impacted and have been warned of the possible breach. Where applicable, patients will be offered credit monitoring and identity theft protection services for a period of time.
Whenever equipment storing electronic protected health information is decommissioned, HIPAA-covered bodies must ensure all data is rendered unreadable, indecipherable, and otherwise cannot be put back together.
The physical safeguards outlined in the HIPAA Security Rule – 45 CFR 164.310(d)(2)(i) – require covered bodies to implement policies and procedures to address the final disposition of ePHI and/or the hardware on which it is stored, while 45 CFR 164.310(d)(2)(ii) requires covered entities to put in place procedures for the removal of ePHI from electronic media before the media are made available for re-use.
OCR recommends clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or completely destroying the media (disintegration, pulverization, melting, incinerating, or shredding). If devices are provided by vendors, the method for wiping the devices prior to decommissioning should be discussed with the vendor and policies developed accordingly.
Reacting to this incident, the Mann-Grandstaff VA has developed a new policy for sanitizing electronic media prior to destruction, decommissioning, or returning devices to suppliers to avoid potential additional breaches of ePHI.