Stolen Flash Drive Costs Practice $150K

An unencrypted USB drive has ended up costing one dermatology practice $150K in fines. The device, containing ePHI relating to Mohs surgery on approximately 2,200 patients, was stolen from a staff member’s car on September 14, 2011. The drive was never recovered.

The practice notified patients of the breach within 30 days of its discovery, and also notified the media, which is required by the Breach Notification Rule. However, upon investigation, the Office of Civil Rights concluded that the practice was non-compliant in three areas:

(1) The practice did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012, more than a year after the theft.

(2) The practice did not fully comply with the administrative requirements of the Breach Notification Rule in that it did not have on hand written policies and procedures on Breach Notification; nor did it train members of its workforce regarding the Breach Notification requirements until February 7, 2012.

(3) On September 14, 2011, the practice impermissibly disclosed the ePHI by allowing an unauthorized individual access to it for a purpose not permitted by the Privacy Rule. In other words, the practice did not reasonably safeguard an unencrypted flash drive that was stolen from the unattended vehicle of a staff member.

What this means for your practice: The Privacy and Security Rules have been in effect since 2003 and 2005, respectively. Because it had had several years to implement the requirements and failed to do so, the practice was deemed willfully negligent, which carries stiffer fines. The moral of this story is not that you should avoid the required reporting if you have a breach (any of the 2200 patients could also have filed a complaint). Rather, this is a good time to ask yourself if you have been conducting the required risk assessments and identifying and implementing safeguards to protect patient data. Updating a patient’s health history is an ongoing process; likewise so is analyzing where and how your data is stored. In the early 2000s most offices were filing claims electronically, but few offices were utilizing digital x-rays, electronic patient records or other types of technology that store patient data. Today, almost all offices use these technologies. Also, in recent years it has come to light that patient data, along with other confidential business information, is stored in non-secured memory on your fax and copier machines.

While you might not have any unencrypted flash drives lying around, take note of where your data is stored and how it moves through your system.

To read the Final Settlement and Corrective Action Plan, click here.

Additional Reading: Healthcare IT News