PHI of 3,725 MGVAMC Patients Exposed Due to Lost Laptop

A decommissioned laptop computer that the Mann-Grandstaff VA Medical Center (MGVAMC) located in Spokane, WA formerly used was found to be missing, possibly resulting in the compromise of sensitive patient information.

The laptop was linked to a hematology analyzer and saved information associated with hematology tests. The center used the laptop computer from April 2013 to May 2016, however was decommissioned after it became unusable. The laptop was replaced but an equipment inventory revealed that the device was missing.

The device must have been sent back to the vendor, but the vendor did not have any record that the laptop was recalled from MGVAMC. MGVAMC did an equipment inventory at the laboratory and found the device to be missing. The medical center did a full search for the laptop but it was not located.

It was not possible to know the exact information that was stored on the device. The specific number of patients that were affected by the breach is also. MGVAMC assumed that all patients who went for hematology tests for the period when the laptop was being used potentially had their information compromised.

The information saved in the laptop likely included the patients’ names, birth dates and Social Security numbers based on a statement published by MGVAMC. There were 3,275 patients that potentially had been affected and received notification about the potential breach. Where appropriate, MGVAMC offered the patients credit monitoring and identity theft protection services.

Every time equipment that contains electronic PHI is decommissioned, it is a must for HIPAA-covered entities to make sure that all information in the device is made unreadable, indecipherable, and can’t be reconstructed. The physical safety measures specified in the HIPAA Security Rule – 45 CFR 164.310(d)(2)(i) – necessitate covered entities to carry out policies and procedures to deal with the final state of ePHI and/or the equipment on which it is kept, whereas 45 CFR 164.310(d)(2)(ii) calls for covered entities to employ procedures for the elimination of ePHI from digital media prior to making the media available for re-use.

OCR advises clearing with the use of software or hardware solutions to overwrite or replace the media with non-sensitive information; purging by degaussing or using a strong magnetic field on the media to destory the recorded magnetic domains; or destroying the media by disintegration, melting, pulverization, shredding or incinerating. If merchants supplied the devices, discuss with the merchant the procedure for clearing the devices before decommissioning and create policies as necessary.

As a reaction to this breach incident, the Mann-Grandstaff VA created a new policy for clearing digital media before disposal, decommissioning, or sending back the devices to vendors to avoid similar breaches of ePHI from happening again.