An Unencrypted Thumb Drive Costs a Medical Practice $150,000.


January 21, 2014

HIPAA Thumb drive security breach

Adult & Pediatric Dermatology, P.C. of Concord, Mass. must pay a $150,000 HIPAA penalty after losing 2,200 patient records. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, the HIPAA penalty occurred when an unencrypted thumb drive was stolen from an employee’s vehicle. In addition, the medical practice failed to identify the thumb drive in a HIPAA risk analysis.

Do you have a proper risk management process in place? Do you secure electronic protected health information (ePHI) stored on various devices? As a healthcare professional, it’s critical to identify and mitigate risks before a HIPAA breach occurs.

The Take-Home Message:

1.   You shouldn’t store electronic protected health information (ePHI) on unencrypted devices, including thumb drives.

2.   You must identify thumb drives and other devices containing ePHI during a HIPAA and Meaningful Use Risk Analysis.

Where Is Your ePHI?

Many healthcare organizations believe their protected information is only contained in their electronic health records (EHR). However, any file containing diagnostic or treatment information must be protected. The following are few examples of places where ePHI can be found:

  • Letters
  • Spreadsheets and reports
  • Faxes and scanned images
  • Medical images and photographs
  • Voice files

Protected information can be stored on any device, including hard drives inside copiers. If you’re storing protected patient data on portable devices, make sure those devices are encrypted to avoid a HIPAA penalty in the unfortunate event that it is lost or stolen.

Tips To Prevent a HIPAA Breach

A HIPAA breach can lead to hefty fines, lost customer confidence, and reputational damage. You can protect your healthcare organization by doing the following:

1.    Don’t Export Data From Your EHR System

If you need to access protected data outside the office, use remote access tools to securely access the information without transferring data to a remote or portable device.

2.   Protect Your Computers and Network

Create a policy to prevent unauthorized users from exporting data from your EHR system. Also, make sure your network and portable devices are professionally managed to protect confidential data.

3.   Encrypt Your Devices

Devices should be encrypted to protect patient data stored on them, including both stationary and portable devices.

4.   Hire a Professional To Conduct a HIPAA Risk Analysis

A certified compliance expert can identify problems and solutions that would otherwise go unnoticed. It’s much less expensive to hire a professional than to face a HIPAA breach.

To learn more about HIPAA compliance and how to secure your devices, give us a call at (888) 330-8808 or send us an email at Integris can help you keep your patients’ information confidential.

We're Integris. We're always working to empower people through technology.

Keep reading

Benefits of a NIST Cybersecurity Framework Risk Assessment

The National Institute of Standards and Technology (NIST) released the cybersecurity framework risk assessment in 2014. It is an impressive and detailed resource that allows a wide range of industries to better manage and understand their cybersecurity efforts. Many...

Information Technology Consulting Firms: Tips for Common IT Problems

When you run a business, you will run into standard information technology (IT) issues. Security breaches, broken technology, lost data, and forgotten login information will happen in only a matter of time – which is why it’s crucial to have information technology...