The Atlanta Constitution and others reported yesterday that Emory Healthcare, the largest healthcare provider in the state of Georgia, was unable to locate 10 back-up computer discs containing Social Security numbers, names, addresses, dates of birth, and clinical and other information on approximately 315 000 former surgical patients covering the period from September 1990 to April 2007. Some 228 000 of the missing patient records included Social Security numbers.
The Emory website announcement concerning the loss stated that the discs, which were to a software system that was deactivated in 2007, went missing between the 7th and 12th of February of this year. After searching “extensively” for the discs apparently for nearly two months, Emory said they still couldn’t be located. Emory emphasized in its announcement that it was “important to note that this incident was not a breach or ‘hacking’ of our computer systems,” but conspicuously didn’t rule out deliberate theft.
Emory also announced that so far, “There is no indication that this information has been or will be misused.” I find that last phrase “will be misused” more of a hope than a statement of fact. Emory is still smarting from an incident last year where a small number of Emory patient records had been stolen and then used to file fraudulent tax returns in hopes of getting refunds.
Another Atlanta Constitutionstory late yesterday reported that the information on the discs was not encrypted, and that they were not stored “according to protocol.” The story stated that the discs were kept in an unlocked file cabinet in a room that had restricted access but wasn’t always locked. An Emory spokesperson explained that the discs weren’t encrypted because they were to an outdated system; he also said the organization believed the information on the discs would likely be difficult to access.
Emory says that it will change how it handles patient information (presumably encrypting all patient-related data), as well as offering a year of free credit monitoring service to those affected. Emory also apologized profusely for the incident.
However, the provider is still likely to face stiff fines from the U.S Department of Health and Human Services (DHHS) for the loss, accidental or not. As you may recall, a few years ago, I blogged about a theft of 57 hard drives from a BlueCross BlueShield of Tennessee storage facility containing the unencrypted records of nearly one million of its members. Even though BlueCross BlueShield spent over US $17 million in its investigation and later data encryption efforts, and even though there has not yet been any evidence that the information stolen has been misused, DHHS fined the insurer $1.5 million last month for Health Insurance Portability and Accountability Act (HIPAA) violations related to the theft.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.