A Denton County, Texas health department employee recently dropped off a thumb drive at a local print and copy store to have a personal document printed. The thumb drive also contained 874 unsecured patient files from the health department’s tuberculosis clinic, which included patient names, addresses, dates of birth and test results. This triggered a disclosure of the potential breach by the health department as well as the delivery of notice letters to all of those patients.
In its breach notification found here, the health department stated that the device was in the hands of print store employees for less than one hour and that it had no reason to believe the patient data was accessed by anyone outside the agency. However, that is not the standard for breach disclosure under HIPAA, and as a result, this event resulted in the health department having to so inform the patients.
Anyone working in the health care field who manages or works with protected health information can take away three important lessons from this incident.
1. Storing protected health information on mobile storage devices like thumb/flash drives is inherently risky.
The capacity and portability of mobile storage drives makes them convenient tools. Unfortunately, these same characteristics make these devices incredibly risky when they are used to store (even temporarily) protected health information (PHI). A few recent case examples illustrate both (a) the damage that can occur when these devices are lost, stolen or placed into the hands of an unauthorized person and (b) the need for health care organizations to establish formal policies that address and restrict such use:
- September 2011: A thumb drive containing the operation reports, consultation letters and photographs of surgical skin cancer procedures for 2,200 patients was stolen from the locked car of a New England dermatology practice employee.
- January 2013: A USB drive containing the names, ages and prescription information for 6,000 Utah Medicaid recipients was lost by a third-party vendor handling Medicaid pharmacy claims. The vendor’s employee had difficulty downloading the information onto her computer and placed it on the USB drive for convenience.
- May 2013: A computer chip inside a thumb drive containing the names, addresses, phone numbers and partial medical records of 2,125 patients of a Lincoln, Nebraska medical practice was lost by a practice physician. For convenience, the physician had attached the thumb drive to a lanyard he wore around his neck when seeing patients in the office and at the hospital. He only discovered that the chip was missing when the drive malfunctioned.
- December 2013: A USB drive containing the names, dates of birth and medical record numbers of nearly 50,000 patients of a California Hospital was lost.
- June 2014: A thumb drive containing the names, gender, medical record number, date of birth and area of the body imaged for 34,000 patients was stolen from an unlocked employee locker at a California Regional Medical Group’s outpatient imaging center.
2. The use of thumb drives and other portable devices for storing protected health information subjects the use/user to significant compliance requirements.
In all of the cases described above, the data on these devices was not encrypted, nor does it appear to have been password protected. Though HIPAA does not prohibit the use of mobile storage devices like thumb drives and does not mandate encryption, once protected health information is stored on a USB drive, it becomes (if it was not already) electronic protected health information (EPHI), and the device and the information on it must be handled in accordance with HIPAA. These requirements include (a) tracking the movements of the data and the device so as to ensure that there is no unauthorized access to the EPHI; (b) including the use and risks of breach in any HIPAA-required risk assessment; (c) destroying the data/USB device (once there is no longer a need for the EPHI) in a manner that ensures it cannot later be accessed by an unauthorized third party; and (d) addressing these details in any policies and procedures established for the handling of PHI and EPHI in compliance with the HIPAA Security Rule.
3. The loss, theft or misdelivery of a mobile storage device will, in most cases, result in a reportable breach, significant reporting expense and a possible fine.
Under HIPAA, unless encrypted in accordance with HHS guidance, the loss of, theft of or misdelivery (as was the case in Denton) of a USB drive will constitute a breach which, in most instances, will be reportable. The above examples illustrate the fact that well-meaning individuals handling PHI who, for convenience, used USB drives to store such data -- and who never believed their USB drive would become lost or stolen – unintentionally made negative headlines for their organizations. These examples, and discussions about them, are easily found on the internet because HIPAA requires public reporting.
Many of the breach notification letters used to advise affected individuals are available online. The legal and reputational cost associated with managing any type of breach so as to comply with HIPAA will most assuredly exceed any convenience cost associated with the casual, unencrypted use of these types of devices.
Depending on the circumstances, there may also be fines associated with such a breach. In the first example listed above (the subject of a previous alert found here), the dermatology practice ultimately had to pay a fine of $150,000 and enter into a Resolution Agreement and Corrective Action Plan with HHS. Likewise, in a well-known case involving the October, 2009 theft of a USB drive containing personal information relating to over 500 Alaska Medicaid recipients from the car of an employee of the Alaska Department of Health and Social Services (ADHSS), the ADHSS ultimately had to pay a fine of $1,700,000 and enter into a Resolution Agreement and Corrective Action Plan with HHS.
The most recent USB breach case in Texas illustrates that despite negative consequences and numerous highly publicized data breach cases involving the storage of PHI on unencrypted mobile devices, these devices are still being used in this manner. It is critically important for any entity handling PHI to understand the risks of such use and to take the steps necessary to avoid becoming the next data breach headline.
Luis F. Ruiz