An Unencrypted Thumb Drive Costs a Medical Practice $150,000.


January 21, 2014

HIPAA Thumb drive security breach

Adult & Pediatric Dermatology, P.C. of Concord, Mass. must pay a $150,000 HIPAA penalty after losing 2,200 patient records. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, the HIPAA penalty occurred when an unencrypted thumb drive was stolen from an employee’s vehicle. In addition, the medical practice failed to identify the thumb drive in a HIPAA risk analysis.

Do you have a proper risk management process in place? Do you secure electronic protected health information (ePHI) stored on various devices? As a healthcare professional, it’s critical to identify and mitigate risks before a HIPAA breach occurs.

The Take-Home Message:

1.   You shouldn’t store electronic protected health information (ePHI) on unencrypted devices, including thumb drives.

2.   You must identify thumb drives and other devices containing ePHI during a HIPAA and Meaningful Use Risk Analysis.

Where Is Your ePHI?

Many healthcare organizations believe their protected information is only contained in their electronic health records (EHR). However, any file containing diagnostic or treatment information must be protected. The following are few examples of places where ePHI can be found:

  • Letters
  • Spreadsheets and reports
  • Faxes and scanned images
  • Medical images and photographs
  • Voice files

Protected information can be stored on any device, including hard drives inside copiers. If you’re storing protected patient data on portable devices, make sure those devices are encrypted to avoid a HIPAA penalty in the unfortunate event that it is lost or stolen.

Tips To Prevent a HIPAA Breach

A HIPAA breach can lead to hefty fines, lost customer confidence, and reputational damage. You can protect your healthcare organization by doing the following:

1.    Don’t Export Data From Your EHR System

If you need to access protected data outside the office, use remote access tools to securely access the information without transferring data to a remote or portable device.

2.   Protect Your Computers and Network

Create a policy to prevent unauthorized users from exporting data from your EHR system. Also, make sure your network and portable devices are professionally managed to protect confidential data.

3.   Encrypt Your Devices

Devices should be encrypted to protect patient data stored on them, including both stationary and portable devices.

4.   Hire a Professional To Conduct a HIPAA Risk Analysis

A certified compliance expert can identify problems and solutions that would otherwise go unnoticed. It’s much less expensive to hire a professional than to face a HIPAA breach.

To learn more about HIPAA compliance and how to secure your devices, give us a call at (888) 330-8808 or send us an email at Integris can help you keep your patients’ information confidential.

We're Integris. We're always working to empower people through technology.

Keep reading

Cybersecurity: The Operating Expense that Makes You Money

Cybersecurity: The Operating Expense that Makes You Money

When I went to college, I, like many of you, had to lay down a lot of cash for a lot of things. Tuition. Books. A computer. Even those late-night pizzas and ramen noodles. But, in the end, those expenses were worth it, because it established a foundation for me...

Mac Cybersecurity Tips for Business

Mac Cybersecurity Tips for Business

Looking for Mac Security Services for Your Business? Here's What You Need to Know to Outfit and Secure a Mac-Based Office. It happens at nearly every business. You've built your operations around PCs, yet, there's that small contingent of employees who insist they'd...