Breach Causes You May Not Know About
The loss or theft of laptops and other computer devices account for the majority of major breaches reported to federal regulators so far.
But we've reported on a number of lesser-known breach causes, ranging from information left on the hard drives on leased copy machines to documents left in filing cabinets donated for resale.
It pays to be aware of each of these potential threats.
Perhaps the most eye-opening incident so far involved a New York insurer that returned leased copiers, only to discover they contained hard drives that stored lots of patient information. As a result, it notified a whopping 409,000 customers, clinicians, employees, job applicants and others "out of an abundance of caution," just in case information about them was copied.
Lesson learned: Remove and destroy your leased copiers' hard drives before you return them. And think twice whenever using any copier, especially those outside of your organization, to make duplicates of patient records.
Sometimes even doctors and nurses can be breach threats.
A small-town hospital in Wisconsin notified 600 patients about a breach in connection with a former emergency room nurse charged with fraudulently obtaining controlled substances. "This breach occurred because the nurse misused her legitimate access to protected health information," the hospital's CEO said.
Meanwhile, a radiologist in Connecticut took patient information from computers at one hospital where he formerly worked and using it to drum up business at another hospital. The case affected 957 patients.
Lesson learned: Some breaches by members of your clinical staff are going to be tough to detect. But it pays to audit who is accessing what information for what purpose.
DUMPING THE TRASH
Be careful how you dispose of paper records.
A North Carolina urgent care center has paid a $50,000 settlement because its patient information was disposed of in a dumpster last year in violation of state law. The statute requires documents containing personal identifying information to be destroyed or shredded.
A firm hired by the center to transfer paper records to a storage facility tossed the intact files instead. The breach affected 757.
Similarly, the South Carolina Department of Health and Environmental Control discovered that an employee, since fired, placed documents in a recycling bin behind its headquarters rather than taking them to a shredding facility. That incident affected nearly 3,000.
Lesson learned: Make sure everyone on your staff is aware of your policies regarding shredding documents before putting them in the trash. And be careful who you hire to move records to offsite storage.
A New York hospital recently discovered that an envelope stuffing machine was placing two bills in each envelope, resulting in patients getting an extra bill intended for someone else. As a result, about half of the 2,500 bills mailed to patients one day in April went to the wrong address.
Lessons learned: Check your mail machines regularly, add a counter to make sure the total of envelopes and letters match, and spot-check stuffed envelopes to make sure they don't include any extras.
Just when you think you've heard about all the potential ways healthcare information can be breached comes word of an insurance company that forgot to empty a filing cabinet it donated along with other surplus office furniture. The incident affected 12,000.
Lesson learned: When donating furniture, such as cabinets and desks, make sure they're empty. Who knows what you'll find in there?