Unencrypted Portable Hard Drive Potentially Exposed 9,387 Patients’ PHI

Charles River Medical Associates in Framingham, MA discovered the danger of failing to encrypt protected health information on portable hard drives. In November 2017, the entity found that one of its portable hard drives was missing. The missing device stored patient information including x-ray images, patient ID numbers, names and birth dates. A total of 9,387 patients that visited the Framingham radiology lab for a bone density scan from 2010 to the present were affected.

The portable hard drive served as a back-up of the bone density scans of patients. It is updated every month with the new scans from the past four weeks. It was during the monthly back-up last November that the staff noticed the missing portable drive.

Every staff in the radiology lab was asked about the portable drive, but they have not seen it in four weeks. They searched the entire premises for several weeks but they did not find the device. So, Charles River Medical Associates’ executive director, Brian Parillo, had no choice but to declare the device lost. They could not speculate whatever happened to it.

The HIPAA Rules require a notification report to be submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) when any device containing unencrypted protected health information is lost. The affected patients must also be notified by mail of the potential breach of their unencrypted PHI. Charles River Medical Associates had already complied with these requirements.

It is believed that the portable drive is lost and not stolen. But the device may possibly have been found by an unauthorized person who viewed the stored information. So patients must be warned against the possibility of fraudulent activities on their accounts. The good news is the portable device did not keep any financial information, Social Security numbers or health insurance information. Hence, the risk of identity theft and fraud is deemed low.

Because of this incident, Charles River Medical Associates took the following corrective action:

·         encrypting of backup information stored on portable drives

·         Review of their security controls to identify potential vulnerabilities that could sabotage the confidentiality, integrity and availability of PHI

·         Retraining of staff regarding privacy workflows.