The Atlanta Constitution and others reported yesterday that Emory Healthcare, the largest healthcare provider in the state of Georgia, was unable to locate 10 back-up computer discs containing Social Security numbers, names, addresses, dates of birth, and clinical and other information on approximately 315 000 former surgical patients covering the period from September 1990 to April 2007. Some 228 000 of the missing patient records included Social Security numbers.
The Emory website announcement concerning the loss stated that the discs, which were to a software system that was deactivated in 2007, went missing between the 7th and 12th of February of this year. After searching “extensively” for the discs apparently for nearly two months, Emory said they still couldn’t be located. Emory emphasized in its announcement that it was “important to note that this incident was not a breach or ‘hacking’ of our computer systems,” but conspicuously didn’t rule out deliberate theft.
Emory also announced that so far, “There is no indication that this information has been or will be misused.” I find that last phrase “will be misused” more of a hope than a statement of fact. Emory is still smarting from an incident last year where a small number of Emory patient records had been stolen and then used to file fraudulent tax returns in hopes of getting refunds.
Another Atlanta Constitution story late yesterday reported that the information on the discs was not encrypted, and that they were not stored “according to protocol.” The story stated that the discs were kept in an unlocked file cabinet in a room that had restricted access but wasn’t always locked. An Emory spokesperson explained that the discs weren’t encrypted because they were to an outdated system; he also said the organization believed the information on the discs would likely be difficult to access.
Emory says that it will change how it handles patient information (presumably encrypting all patient-related data), as well as offering a year of free credit monitoring service to those affected. Emory also apologized profusely for the incident.
However, the provider is still likely to face stiff fines from the U.S Department of Health and Human Services (DHHS) for the loss, accidental or not. As you may recall, a few years ago, I blogged about a theft of 57 hard drives from a BlueCross BlueShield of Tennessee storage facility containing the unencrypted records of nearly one million of its members. Even though BlueCross BlueShield spent over US $17 million in its investigation and later data encryption efforts, and even though there has not yet been any evidence that the information stolen has been misused, DHHS fined the insurer $1.5 million last month for Health Insurance Portability and Accountability Act (HIPAA) violations related to the theft.