A Third HIPAA Breach for University of Rochester Medical Center


HIPAA Security

On Friday, May 6, 2013, officials from the University of Rochester Medical Center (URMC) announced that one of its physicians had misplaced an unencrypted USB drive containing 537 patient files with private health information.

URMC officials said that they’ve notified all 537 of the former orthopedic patients whose information was lost. The USB drive contained private information including: patient names, age, gender, phone numbers, dates of birth, medical record numbers, dates of service, orthopedic physician names, diagnoses, diagnostic studies, procedures and complications. Officials stated that no addresses, Social Security numbers or insurance information for any of the patients were compromised.

It’s believed that the flash drive was lost at the URMC Outpatient Surgery Center.  It was never recovered. Hospital officials suspect the flash drive was destroyed in the laundry, but a search failed to locate the USB drive at the laundry service.

According to URMC, the physician was in violation of their new, updated company policies regarding portable devices. Teri D’Agostino, a spokesperson for URMC, said that they encourage all physicians and staff to access patient records through their secure network only; and when it becomes necessary to load information onto a portable drive, it’s required that they encrypt the drives. This requirement was communicated to all staff and faculty, and is continually enforced at URMC. The new rules for portable devices also state that they must be password protected and have a time-out feature when unattended.

D’Agostino said that URMC is planning an annual education series to reinforce company policies.  This is being done in an attempt to re-educate faculty and staff about policies that require any and all drives to be encrypted when transferring private health information.

This is the third time URMC has reported a data breach of over 500 patients to the Department of Health and Human Services. The previous two breaches, occurring in 2010, compromised the private health information of approximately 3,500 patients.

Have you made sure your medical clinic and business associates are in compliance with HIPAA and HITECH?  If you are not sure, give us a call today.  As your trusted medical IT professionals in Baltimore/Washington DC, we will make sure all your business associates and your medical clinic are compliant with HIPAA Omnibus and HITECH.  Call us today.

We're Integris. We're always working to empower people through technology.

Keep reading

Nine Policies and Procedures for Compliance with HIPAA

Nine Policies and Procedures for Compliance with HIPAA

The HIPAA Security Rule was enacted in 1996 by the U.S. Congress, designed to establish national standards to protect individuals’ electronic personal health information used and/or stored by a covered entity. The HITECH act states that all healthcare providers will...