Chesapeake, Virginia based Chesapeake Regional Healthcare has reported that two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from their Chesapeake Regional Medical Center campus at that location.
The private health information stored on the devices in question relates to patients who participated in research at its Sleep Center between April 2015 and February 2018.
it is still no known exactly when the hard drives went missing. Chesapeake Regional Healthcare saw that the devices were not at their usual places on February 6, 2018. An internal investigation was kicked off, and a complete search of the facility was conducted, but the devices could not be recovered. The missing hard drives have been filed as lost/stolen to police, but Chesapeake Regional Healthcare said the likelihood of the devices being found no is low and it does believe that the devices will be found.
There was no encryption on the hard drives. If captured by a third party, the protected health information of patients could be accessed. The types of data stored on the devices includes names, location information, birth dates, unique patient identifiers, details of the treatment and tests completed at the Sleep Center, and information on medications that were given to patients. Social Security numbers, addresses, insurance information, and financial data were not recorded on the device in question.
Measures are being employed at Chesapeake Regional Healthcare to ensure similar breaches do not occur going forward. These easures include improving policies related to the security of PHI recorded on portable electronic storage devices. It is not clear whether the new procedures will include data encryption on devices.
At present, Chesapeake Regional Healthcare is issuing notifications to patients, who are being offered 12 months of free credit monitoring and identity theft protection facilities. Should any patients discover their health information has been used for ill means, extra help will be offered to help mitigate any harm experienced.