Two recent data breaches involving personal health information on portable storage devices highlight the need for healthcare organizations to make the New Year's resolution to tighten up security.
On Dec. 15 the California Department of Public Health (CDPH) released a statement saying that it had reported to state authorities that a missing magnetic tape, delivered from one department facility to another, had been lost. The tape contained medical or other personal information for as many as 2,550 facility residents, CDPH employees and healthcare workers, and was unencrypted.
The confidential information on the lost tape includes employee e-mails, investigative reports, background information on healthcare workers, the names of healthcare facility residents and some information on their medical diagnosis, and social security numbers for CDPH employees and some facility residents and healthcare workers.
CDPH officials said they are currently notifying affected individuals, but that at this point there is no evidence that unauthorized parties have acquired or accessed personal information.
"The privacy of medical and other personal information is a top priority for CDPH," said CDPH Director Mark Horton. "We immediately implemented procedure and policy changes to prevent such errors from occurring in the future. We take any breach of secure documents very seriously, and we regret this occurrence. We will redouble our efforts to ensure that everyone's personal information is properly protected."
The incident occurred when a CDPH field office in West Covina, in the Los Angeles area, sent a magnetic tape to the central office in Sacramento as part of the procedure for backing up its computer data. The magnetic tape was unlabeled and was sent via U.S. Postal Service.
On Sept. 27 CDPH received the mailed envelope, which was reported to be unsealed and empty. CDPH said they immediately reported the breach to the Information Security Office and began an investigation of the incident. On Nov. 23 CDPH completed compiling the list of individuals whose medical or other personal information may have been compromised as a result of the loss of the tape.
CDPH said it has implemented policy and procedure changes to minimize the likelihood of recurrence and is researching options, which would eliminate the need for a back up tape.
On Dec. 10 Mountain Vista Medical Center in Mesa, Ariz., released a statement saying that it had became aware that compact memory data cards containing information related to procedures occurring Jan. 1, 2008, through Oct. 12, 2010, were missing from two endoscopy machines in the endoscopy unit. According to a report by the Arizona Republic, the data cards held information on 2,200 patients.
Officials said the compact memory data cards include the following information about the patients: full name, date of birth, age, sex, hospital medical record number, physician last name, date and time of procedure, type of procedure, and procedure image(s). However, they said they had no reason to believe that the information involved in the incident had been accessed or improperly used.
Social security numbers, credit card numbers, addresses, and telephone numbers were not included on the data cards, officials said.
Mountain Vista Medical Center has sent letters to all patients whose personal/sensitive information may have been stored on the compact memory data cards to notify them of the incident. In addition, the hospital has conducted a thorough investigation of the incident, revised its security procedures involving storage of the compact memory data cards, modified the endoscopy machines to no longer use those cards and retrained its endoscopy unit employees on confidentiality and security procedures.
