HIPAA breach for 34K after staff slipup

Employee leaves unencrypted device in unlocked locker
By Erin McCann
09:13 AM

A Northern California hospital is reevaluating its security policies after an unencrypted USB drive containing the protected health information of nearly 34,000 patients was stolen from an employee's unlocked locker.  

The 278-bed Santa Rosa Memorial Hospital in California, operated by St. Joseph Health System, is notifying affected patients who had their X-ray data compromised after the June 2 burglary at the hospital's outpatient imaging center. Patient names, gender, medical record number, dates of birth and dates of service were also contained on the USB drive. 

[See also: Security tips from the health IT pros.]

The staff member reportedly left her locker unlocked. St. Joseph officials declined to comment on what position the employee held at the hospital, whether or not she was authorized to have the data, and what their policy was regarding employees handling devices containing PHI and encryption. "Due to the ongoing investigation with the Santa Rosa Police Department and respect for our patient and employee privacy," St. Joseph officials wrote in an emailed statement.

The employee had backed up the X-ray records on the unencrypted drive in preparation for their migration to Santa Rosa Memorial's electronic medical records system, according to a company-issued press release.

The records were in the process of being transferred from the clinical information system formerly used by Redwood Regional Medical Group, which transferred operations of the imaging center to the hospital effective April 1.

[See also: Healthcare security stuck in Stone Age.]

"We take our obligation to protect patients' privacy very seriously, and apologize for any concerns or inconvenience to patients and their families that this causes,” said Todd Salnas, president of St. Joseph Health in Sonoma County, which owns and operates Santa Rosa Memorial, in a prepared statement. "Following this burglary, we immediately heightened security measures and training at our new Sotoyome Drive facility, and are committed to preventing such an intrusion from happening again."

Santa Rosa Memorial officials are offering one-year-long credit monitoring and identity theft protection services to affected patients.

This is the St. Joseph Health's third reported HIPAA breach, according to data from the Department of Health and Human Services -- all of which involved the loss or theft of unencrypted electronic devices. 

In 2010, St. Joseph Heritage Healthcare, part of SJH, reported that 22 computers were stolen from the office. Five of the computers contained the protected health information of some 22,000 patients. Late 2013, SJH's Redwood Memorial Hospital reported a similar incident after a portable electronic device containing the protected health information of more than 1,000 patients was lost. 

To date, nearly 32 million people have had their protected health information compromised in HIPAA privacy and security breaches.