Two USB drives holding the protected health information of almost 2,000 veterans at the Man-Grandstaff VA Medical Center in Spokane, WA have been discovered to be stolen.
The two devices were storing data from a separate, external, non-networked server that was being switched off. One of the devices was the master drive used to transfer the medical center’s Anesthesia Record Keeper database to its virtual archive server. In a statement issued by the medical center, it has been claimed that transfer had taken place in January. No explanation has been provided as to why the database was still on the drive.
Thieves took the devices, on July 18 2017, from a contract employee who was attending to a service call to a VA hospital in Oklahoma City.
Man-Grandstaff VA Medical Center could not deduce exactly what information was still on the USB drives, although the database on the virtual archive server was reviewed and found to include full names, addresses, phone numbers, surgical information, insurance information, and details of Social Security numbers.
1,915 peoples who may have had their PHI exposed hare being notified of the breach by mail and have been offered credit monitoring services for 12 months for free.
In September 2017, the same medical center revealed another data breach had been experienced. An unencrypted laptop computer that was working as an interface with a hematology analyzer was found to be missing. The data on the laptop included names, dates of birth, and the Social Security numbers of almost 3,200 veterans. Following that breach, the medical center adapted a system that enables devices to be remotely sanitized in the event of loss or being stolen.
While transporting or storing data on small standalone devices such as USB, pen, or zip drives is useful, the devices are easily misplaced, lost, or illegally taken. The loss of a USB drive storing PHI is a reportable HIPAA breach and one that could potentially lead to a major regulatory fine.
There are now a variety of cloud-based services that allow data to be easily accessed and shared. Covered entities still using these small standalone devices to store PHI should consider eliminating the use of the USB devices and changing to HIPAA-compliant cloud-storage.
Before entering in a usage agreement with any cloud storage service, HIPAA covered entities should obtain a signed, HIPAA-compliant business associate agreement and train staff members on the correct use of the storage platform.
If the use of USB drives is an unavoidable option, any PHI kept on the devices should be encrypted to stop unauthorized access in the event of loss or theft, or an alternative security system that gives the same level of safety.