IU Health Arnett Security Infringement Affects 29K Patients

Arnett Hospital of Indiana University Health has notified 29,324 patients concerning the possible revelation of their Protected Health Information (PHI) following an unencrypted flash drive vanished from its emergency division.

The flash drive was found to be lost on November 20, 2015, and an inspection was instantly started. Work is continuing to try to find the lost flash drive that was stolen inside a part of the hospital not open to the general public. As a result, hospital officers don’t believe patient data have been viewed or acquired by an external 3rd party.

IU Health Arnett Hospital began dispatching infringement notification letters to impacted patients a week ago to tell them that a few of their PHIs have possibly been compromised. Nevertheless, no reports of improper use of the data have thus far been received by the hospital.

The flash drive wasn’t utilized to store credit card numbers, financial information, or Social Security numbers, even though spreadsheets preserved on the system included medical diagnoses, dates of birth, medical record numbers, and patient names.

Director of clinical and quality excellence for IU Health Arnett, Norma Gilbert, released an announcement verifying “Patient medical record info is maintained on a safe server… This isn’t the usual way of saving patient data.”

Due to the security infringement, IU Health Arnett will be analyzing its safety plans as well as will take measures to minimize the possibility of events like this from happening once again down the road.

An Adverse Beginning of 2016 Following ‘The Year of the Medical Data Infringement’


2015 was a bad year for the healthcare industry. More than two times the quantity of health care records were uncovered in the last 12 months as compared to were uncovered between 2009 and the conclusion of 2014.

The Indiana University Health security event is the biggest suffered after OH Muhlenberg’s revealed its 84,681-patient record hacking incident in November, 2015.

The newest security episode is the 9th biggest to be experienced by a HIPAA-covered organization in the last 6 months, with just the safety events at Lancaster County EMS, UCLA Health, Medical Informatics Engineering, North East Medical Services, Empi Inc, Excellus Health Plan, OH Muhlenberg, and Molina Healthcare having revealed additional data.

OCR Penalties for Loss as well as Thievery of Unencrypted Mobile Storage Systems


Mobile systems utilized to save medical info can be simply stolen, lost, or misplaced. It’s, therefore, necessary that info saved on the systems are protected. Failure to utilize encryption on mobile systems can simply lead to an OCR HIPAA infringement fine.

In November 2015, Lahey Hospital and Medical Center settled with OCR for $850,000 following a laptop was thieved, disclosing the data of 599 people.

Alaska Department of Health and Human Services settled with OCR for $1.7 million a year ago following a mobile electrical storage system was thieved from the automobile of a DHHS worker.

In 2014, Stanford Hospital & Clinics accepted a $4.1 million settlement following 1 million files were revealed when 2 laptops were thieved, and a $1.7 million penalty was paid by Concentra Health Services following an unencrypted laptop was thieved.

With OCR penalties being progressively issued after data Infringements and state Attorneys general also penalizing medical providers for info exposures, this is a great time for HIPAA-covered organizations to analyze their data security plans.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.