Unencryption at core of HIPAA breach
The San Jose, Calif.-based Santa Clara Valley Medical Center is notifying 571 patients that their protected health information has been compromised after an unencrypted laptop was stolen from the hospital's audiology department.
Patient names, medical records numbers, dates of birth, ages, sex, dates of service and brainwaves from testing were all included on the laptop, according to the Sept. 27 notification letters mailed to patients.
The theft was discovered Sept. 16.
[See also: Ready or not: HIPAA gets tougher today.]
"We apologize for any inconvenience or concern this incident may have caused you," wrote Lisa Pfeifer, acting compliance and privacy officer at Santa Clara Valley Health & Hospital System, in the letter. "SCVHHS maintains high standards for the safeguarding of protected health information and takes all potential or actual patient privacy breaches seriously."
To protect against further breaches, Pfeifer said she would speak with department heads to ensure proper policies and procedures are being followed, in addition to providing privacy training for the department. Plans for encrypting laptops were not, however, indicated.
The Office for Civil Rights, a Department of Health and Human Services sub agency designated to investigate HIPAA breaches, has received some 80,000 complaints regarding HIPAA violations since 2003. Sixteen of those have resulted in hefty monetary penalties.
"It is the patient's interests that really define what are going to be our enforcement priorities, what are going to be the judgments we make," said OCR Director Leon Rodriguez, at the September HIMSS Media/Healthcare IT News Privacy and Security Forum.