iPad Theft Is Reminder That Devices Still Cause PHI BreachesKaiser Permanente Says Tablet Contained COVID Testing Information, Photos
An iPad stolen from a Los Angeles hospital is a reminder that mobile device mishaps can still lead to breaches affecting tens of thousands of patients - and that good security is no guarantee of patient privacy unless humans cooperate.
Reports of big health data compromises from theft or loss of devices has plummeted as manufacturers turn on encryption by default - but Kaiser Foundation Health Plan of Southern California found itself in time-honored territory when it reported to federal regulators on July 15 a breach affecting more than 75,000 individuals caused by a pilfered tablet.
Incidents involving encrypted devices are generally not considered reportable HIPAA breaches, and the stolen iPad was indeed encrypted by default.
But whoever stole the tablet from a locked Kaiser Permanente storage room also got his or her hands on the passcode to unlock the tablet, the medical system disclosed. The device theft occurred on May 20.
"I think the increased prevalence of devices of all types in HIPAA-covered entities and business associates results in increased risk, because such devices are not being managed appropriately by workforce members," says privacy attorney Iliana Peters of the law firm Polsinelli.
Kaiser Permanente says the device was used at a COVID-19 testing site and contained photos of coronavirus lab specimen labels featuring patient information including name, date of birth, medical record number, and the date and location of service.
"While we do not have any specific evidence that information was accessed and/or viewed by the unknown individual, we are notifying individuals whose health information may have been contained on the stolen iPad," Kaiser Permanente says.
No photos of patients, lab results, Social Security numbers or credit card numbers were contained on the device. Kaiser Permanente says it remotely erased all data from the iPad, including images of lab specimen labels.
Kaiser Permanente declined Information Security Media Group's request for more details about the incident, including whether the stolen iPad's password was taped to the tablet.
Tablets such as iPads are increasingly a common sight in clinical settings.
The lightweight devices are "a big plus for busy providers who often go from one treatment room to the next. Their flexibility and ability to perform all the functions the provider needs helps them keep up with a growing practice," says Susan Lucci, senior privacy and security consultant at tw-Security.
All iPads have encryption built in once you set up a passcode. Most Windows 10 tablets are encrypted by default once a user signs into a Microsoft account, Lucci says.
Because Kaiser Permanente says its stolen iPad's password was taken along with the device, the data contained on the tablet - encrypted or not - was potentially accessible to unauthorized individuals.
Entities may well have robust encryption and password policies, but their employees may not follow such procedures with regard to those devices, says Peters, a former senior adviser at HHS OCR.
"Entities must recognize the real risk to their entities due to these device management issues, not only from theft and loss, but also from cyberattacks, and develop, revise, train, enforce and sanction on these policies," she says.
Experts say Kaiser Permanente did well to remotely delete the data contained on the iPad soon after discovering its theft.
"The value of a strong incident response plan is taking immediate steps to secure or delete the data and then identifying steps to minimize or prevent a recurrence," Lucci says.
Less Common Occurrences
Until a few years ago, incidents involving stolen or lost unencrypted computing devices, such as laptops, dominated reporting of large HIPAA breaches to federal regulators.
The Kaiser Permanente incident is the largest involving a lost or stolen computing device posted so far this year on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
As of Wednesday, of the 380 HIPAA breaches affecting 22.7 million individuals posted to the HHS Office for Civil Rights website so far in 2022, only 11 incidents - affecting a total of about 194,000 individuals - involved lost or stolen computing devices.
To date, the largest health data breach involving unencrypted computing devices was reported to HHS OCR in August 2013 by Chicago-area physician group practice Advocate Medical Group. That incident involved an office burglary and the theft of four unencrypted computers, affecting more than 4 million patients.
HHS OCR in 2016 smacked Advocate Medical Group with a then-record $5.5 million HIPAA settlement as the result of the agency's investigation into that incident and two smaller breaches (see: Advocate Health Hit With Record $5.5 Million HIPAA Penalty).