Names, dates of birth, prescription drugs and dates of service found on unencrypted drive
A Wisconsin health insurance group has notified nearly 42,000 of its members that their protected health information may have been compromised following a HIPAA privacy breach.
Back in December, Unity Health Plans Insurance Corporation, which serves some 140,000 members, discovered a unencrypted portable computer hard drive containing health records of 41,437 individuals was missing from the University of Wisconsin-Madison School of Pharmacy. Officials say the school had this information as part of a benefits program evaluation.
[See also: Ready or not: HIPAA gets tougher today.]
Member names, dates of birth, name of prescription drugs and dates of service were contained on the device.
"(We're) reviewing all our policies and trying to reeducate employees," Jennifer Woomer Dinehart, spokesperson for Unity Health, told Healthcare IT News. Woomer Dinehart would not confirm or clarify what the company-wide encryption policy was.
"We are sorry this happened and want to provide pertinent information concerning the occurrence along with the steps we are taking to minimize any potential impact," read a Jan. 30 company notice.
To date, out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.
[See also: 4-year long HIPAA breach uncovered.]
Just this past December, the five-hospital Riverside Health System in southeast Virginia announced that the PHI of nearly 1,000 patients had been compromised in a privacy breach that continued for four years. From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. The breach wasn't discovered until Nov. 1 following a random company audit.