In late November, the Framingham, MA-based Charles River Medical Associates based practice discovered one of its external hard drives was missing from its usual location.
The missing device contained x-ray images, names, patient ID numbers, and birth details. All patients who had visited the Framingham radiology lab for a bone density scan since 2010 had their x-ray images obtained – almost 9,400 individuals.
The hard drive was operating by the practice as a backup device and updated the stored data every month with bone density scans from the previous four weeks. The last time the device was put to use was for the October data backup. In late November, when the monthly backup was due to take place, the portable drive was missing.
A thorough search of the premises was carried out, which took many weeks, but the device could not be located. All staff members were quizzed about the location of the drive, but no one had seen the device in the past four weeks.
Charles River Medical Associates has now officially announced that the device lost and the search has been cancelled. Brian Parillo, executive director of Charles River Medical Associates commented, “It’s hard to speculate on what could have happened to it.”
Losing any device containing unencrypted protected health information must be reported in line with HIPAA Rules and patients must be notified of the potential breach of their information. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and affected patients have been informed of the breach by mail.
While the external hard drive is believed to have been lost rather than stolen, it is possible that the device has been found and the information stored on the drive viewed by unauthorized parties. Patients have therefore been told to take measures to guard against any negative impact from the incident, including seeking credit reports and checking their credit accounts for any sign of suspicious activity.
However, as no Social Security numbers, financial information, or health insurance details were kept on this external hard drive, the chance of identity theft or fraud is low.
Following the HIPAA breach incident, the decision has been taken to stop bring an end to using unencrypted portable drives to store backups. A full security review has also been finished to look for other potential vulnerabilities to the confidentiality, integrity, and availability of PHI, a review of hardware has been carried out, and staff have been retrained on privacy workflows and processes.