Optical Care Chain Loses a Server, AgainMissing Computer Contained PHI for 48,000 Customers
For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.
In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing "partially unencrypted protected health information" belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.
Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.
The Jacksonville server also went missing following a computer replacement upgrade, which was recently completed, says the company.
A Highmark spokesman tells Information Security Media Group: "These were two different incidents; no other servers have been lost" from any other locations.
Any individuals who received services at the Jacksonville store prior to Sept. 26, 2014, may have been affected, the company says. Data contained on the lost server includes credit card information, which was encrypted. Visionworks did not specify what kind of PHI was unencrypted on the server, but did say eye exam information was not stored on the lost computer.
"While the location of the server is still undetermined, it was likely discarded by an employee," Visionworks says in the statement. "At this time, there is no reason to believe that any of the information residing on the server has been accessed or used inappropriately."
Visionworks says it will provide affected customers at its Jacksonville store with free credit monitoring for one year, just as it did in the Annapolis incident.
The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. "Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months," he says.
While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, "Server hard-drive encryption in an optometrist store is very rare," notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.
Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.
"In our experience doing HIPAA risk assessments, we often see storerooms or locked 'cages' of older used equipment," says Dan Berger, CEO of security services firm Redspin. "We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation," he says. "That sets the stage for an inadvertent discarding of a device that contains lots of confidential data."
Berger stresses that having policies safeguarding PHI even when it's no longer needed is mandated under HIPAA.
"We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored," he says.
Another Highmark Breach
Visionworks' parent company, Highmark, had another recent breach, according to the Department of Health and Human Services' "wall of shame" tally of breaches affecting 500 or more individual. That April incident, which affected about 2,600 individuals, involved "health profile and care summaries and corresponding cover letters that were incorrectly mailed."
The incident exposed the names, addresses, telephone numbers, dates of birth, unique medical identifiers, gender, medications, and health information of the affected individuals.
The HHS site notes that following the breach, Highmark "issued a new unique medical identifier to each member impacted by the incident." Additionally, the breach list entry for the incident notes that Highmark "determined that a process failure by an employee was the root cause for the incorrect mailing and subsequently terminated the employee."
Furthermore, as a result of the HHS' Office for Civil Rights' investigation into that incident, Highmark "instituted new quality review procedures for mailings and retrained employees on its privacy practices and departmental policies, processes and procedures," notes the tally entry. "OCR obtained details of the covered entity's revised policies on its health profiles to assure they include only the minimum necessary information."