Car Burglars: A Major Breach ThreatYet Another Incident of Stolen Storage Media
In this incident, which dates back to July, a hard drive containing information on more than 63,000 patients was stolen from the car of an employee of the Neurological Institute of Savannah in Georgia. The drive contained information on patients treated between Jan. 1, 2006, and July 2, 2011, according to a statement on the institute's website. The information included names, Social Security numbers, addresses, dates of birth, telephone numbers and billing account data, but no financial data or medical records.
Two of the largest breaches reported in recent months have involved similar circumstances. For example, in the largest breach incident reported since the HIPAA breach notification rule took effect in September 2009, TRICARE, the military health program, reported 4.9 million beneficiaries were affected when unencrypted computer backup tapes were stolen from the car of a business associate's employee. And in an earlier incident, New York City Health and Hospitals Corp. reported unencrypted backup tapes containing information on 1.7 million individuals were taken from the truck of a business associate.
The Neurological Institute says it's working with local police in an attempt to identify the thief and recover the items stolen. "We have also modified our security procedures to eliminate any loss or potential breach of this nature in the future," according to the institute's statement.
"Although parts of the data were encrypted, password-protected and randomly stored, there is a possibility your data could be accessed by an unauthorized individual," the statement to affected patients says. So far, there is no evidence the data has been used inappropriately, and police believe the thief "likely was not trying to steal data," the statement adds. Rather than offering free credit monitoring services, the institute is advising those affected to place a fraud alert on their credit reports.
Security consultant Rebecca Herold advises healthcare organizations to encrypt all backup media and take other security precautions, as outlined in a recent blog.