Earlier this month Stanford reported its 5th HIPAA breach since 2009. This is Stanford’s third largest breach, affecting nearly 13,000 patients. A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford. The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians. Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.
Stanford’s other breaches include a disclosure of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year. This breach has resulted in a $20 Million class action law suit under California law.
Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car. In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office. Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.
Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches. Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.
Lessons learned from Stanford’s misfortunes: encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).
For assistance with HIPAA and/or the breach notification rules please contact Elana Zana.