Health Information Compliance Alert
Don't Overlook Data Breach Risks From Desktop Thefts
PDF
Are you including desktop computers in your security risk assessment?
No healthcare provider is immune from theft. And although you hear a lot lately about laptop thefts leading to HIPAA breaches, desktop computers are at risk as well. Are you taking the right precautions to protect all your computers?
Background: The theft of an unencrypted desktop computer during a break-in at a Temple University Physicians medical office in Philadelphia, PA resulted in the breach of 3,780 patients’ protected health information (PHI). The theft occurred sometime between July 18 and July 21, 2014, according to Temple’s breach notification to the HHS Office for Civil Rights (OCR).
The desktop computer was in the surgery department and contained files with PHI including names, ages, billing codes and referring physicians’ names, reports the Philadelphia Inquirer. Temple claimed that the files did not contain financial information nor Social Security numbers.
Take the Right Steps in Breach Response
Correctly, Temple immediately reported the theft to local police, HHS, and the affected patients. So far, Temple is providing free identity theft-monitoring services to all affected patients for the next 12 months.
Temple also plans to beef up its employee training, improve physical security, and boost technical security measures on desktop computers, according to the healthcare system. Unfortunately, the desktop was not encrypted.
What You Can Learn from This Breach
“Time and again data breaches are caused by the loss or theft of a laptop computer, but it is less common that a desktop is stolen that compromises health information,” said partner attorney Linn Foster Freedman in a Sept. 19 blog posting for the law firm Nixon Peabody LLP.
Lesson learned: You should include desktop computers in your security risk assessments, “as the risk of theft of desktop computers is real, which is apparent from this incident,” Freedman warned. “It is a reminder that all computers are a security risk for an organization and proper security measures for all media — removable or otherwise — is essential.”
Health Information Compliance Alert
- Case Study:
Don't Overlook Data Breach Risks From Desktop Thefts
Are you including desktop computers in your security risk assessment? No healthcare provider is immune [...] - HIPAA Compliance:
How Your HIPAA Obligations Regarding Same-Sex Marriage Have Changed
OCR augments the definitions of spouse, marriage, and family member. The U.S. Supreme Court ruled [...] - Data Security:
Weigh The Benefits Vs. The Risks Of Storing Data In The Cloud
How a signed BAA doesn’t ensure HIPAA compliance. Cloud services are incredibly helpful for many [...] - Reader Question:
What Are The Dangers Of Not Complying With New BAA Standards?
Question: Despite the Sept. 22 deadline, we have not yet updated our business associate agreement (BAA) [...] - Reader Question:
Can You Let NPP Rules Slide In This Situation?
Question: We sometimes need to collect preoperative information about a new patient over the phone prior [...] - Reader Question:
Are There Security Rule Considerations For Telemedicine?
Question: One of our practice’s nurse practitioners provides occasional telemedicine services via videoconferencing. Does the Security [...] - Enforcement News:
Can PHI Really End Up On Google? Yes, This Happened
Plus: Big security flaw puts Unix systems at risk. Yet another data breach serves as [...]