St. Luke’s Cornwall Hospital Informs Data Exposure to 29K Patients

St. Luke’s Cornwall Hospital has released a media declaration providing more information on the 29,156-record data infringement that happened on October 31, 2015. The hospital has clarified that the infringement happened when an unknown person entered a top-secret space of the hospital and thieved a thumb drive having a limited amount of patient data.

The device was unencrypted as well as contained patient names, medical record numbers, details of imaging services provided, as well as the dates of patient visits. Some administration information was also saved on the thumb drive, though no health information, insurance details, financial information, or Social Security numbers were compromised.

Although the case was discovered swiftly, the hospital had to carry out an inquiry to establish the precise data that were saved on the thumb drive and which patients were affected. The inquiry has now been finished and patients have been informed of the infringement of their saved health information by mail. The Division of Health and Human Services’ Office for Civil Privileges was informed of the data infringement on December 30, 2015.

Even though just limited patient data were revealed and the danger of people suffering financial losses or identify thievery as a consequence of the infringement is comparatively low, out of a profusion of care St. Luke’s Cornwall Hospital is delivering affected patients with identity thievery recovery services for one year without a fee.

The security infringement has encouraged St. Luke’s Cornwall Hospital to modify its rules on data encryption. All USB drives utilized by the hospital will now need a password in order to access data, as well as the devices will also contain patient data encrypted.

The usage of thumb drives as well as other moveable storage devices carries a data safety risk because they can all too easily be stolen or lost. To decrease the danger of more security incidents of this type, St. Luke’s will be employing IT systems that let data access without the usage of thumb drives.

OCR Takes Action over Moveable Device Thievery

Office for Civil Privileges has been cracking down on HIPAA-covered individuals who have suffered data infringements as a consequence of moveable storage devices being stolen or lost. Many settlements have been reached with companies for possible HIPAA infringements that resulted in the loss of moveable devices as well as the revelation of ePHI.


Covered Entityinfringement TypeRecords RevealedDateSettlement Amount
Cancer Care Group, P.C.Thievery of Laptop/Unencrypted Backup Media55,000September, 2015$750,000
St. Elizabeth Medical CenterThievery of Flash Drive595July, 2015$218,400
Adult & Pediatric Dermatology, P.C.Thievery of Flash Drive2,200December, 2013$150,000
Alaska DHSSThievery of USB Hard Drive2,000June, 2012$1,700,000


Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.