The US Department of Health and Human Services is having a tough time of it. They are the latest government agency to report a significant data breach, but this time, with a twist. In this instance, it wasn’t a nefarious plot by a group of hackers, but simple human carelessness and error.
The case in question involves the improper handling and disposal of physical health records (PHI), from the Fort Myers, Florida. Radiology Regional Center. Documents were loaded on a truck and sent to a local landfill, but were not shredded or marked up before handing them off. The door of the shipping unit was not properly secured, and in transit, some of the papers simply blew out into the road.
It is unclear which, or how many records were exposed, but that shipment contained records of more than 483,000 individuals. This is not just a local, or regional problem, either. The Radiology Center handles patient records and information from all over the country, and the incident prompted HHS to send a notification to all of the potentially impacted individuals.
As to the seriousness of the data loss – that’s difficult to measure or assess at this point. It’s possible that most of the lost records will be damaged by the elements and rendered illegible before any harm can be done, but it’s just as easy to imagine another, much darker outcome. Even worse, given the fact that these were highly detailed records, they contained patient names, addresses, phone numbers, dates of birth, social security numbers, health insurance policy numbers, and sensitive, normally protected health information. In other words, this incident has as large, and as bad an impact as one would ever expect to see.
All of this underscores an important point. While we are scrambling to secure the digital integrity of data, we must never forget that this is only one part of a much more complex equation. Physical security and proper disposal must be given equal time and attention. HIPAA compliance is all-encompassing. Physical records have to be stored and disposed properly, as do electronic records. Nearly every day now it seems we are hearing of yet another organization that has suffered a data breach.
And some might think, what’s the big deal? The big deal about health records is two-fold. First, the law requires that every single organization that comes in contact with PHI, whether physical or electronic, be HIPAA compliant. If an organization doesn’t take HIPAA seriously, and fails to protect patient records, OCR will levy heavy fines, as we’ve seen recently. Second, a health record contains every single piece of information about a person, down to the last detail. If someone with malicious intent got ahold of it, they can use it to steal an identity, get new credit cards, file false healthcare claims, drain a bank account, you get the picture.
Many organizations struggle to protect patient records, and fail miserably. If your organization needs help protecting its data from loss, misuse, or worse, identity thieves, do not hesitate to reach out to us. VITECH’s team of experienced security experts are here to help.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.