medical data

Medical Clinic loses Patient records in data breach

March 6th, 2013

The Granger Medical Clinic of West Valley city, alerted federal health officials of a data breach, which took place after collecting records of about 2,600 medical appointment slated for shredding went missing. The records of the medical clinic all from 2012, may have included patient names, date and time of examination, and the medical reason for an appointment; printed from the electronic scheduling database, as reported by clinic’s attorney Steven Hester. He further added, no personal information of the patients such as, address, birth dates, medical claim, social security or finance related record including credit card numbers, were included. Some of those documents had internal medical record numbers which were of no use outside the health clinic. Computer security software became a matter of concern when a staff reported about missing records and an internal investigation was launched. Later, news releases were issued and letters were sent to all the affected patients.

The Health Insurance Portability and Accountability Act, popularly known as HIPPA — requires records of data breach for reporting it to the federal officials, the affected patients of the clinic and media. HHS website states, the law demands a notification of the identified data breach within 60 days of the mishap. This is why data encryption software is required to avoid data loss. HIPPA defines a data breach as any disclosure or use of data which compromised privacy or data security of health information that poses a risk of financial, reputational or other harm to the affected person.

Medical Data Breach on the rise.

Medical Data Breach on the rise.

Till date, there’s been no single indication of data breach incident reported where the information has been used for impropriety, Hester said. Recently, the data security ombudsperson for Utah Department of Health — Sheila Walsh-McDonald, remained unaware of the Granger clinic data breach, but according to her there is no such law requiring the health clinic to notify state officials.Walsh-McDonald was appointed by Gov. Gary Herbert last year after computer hackers broke into a poorly-protected government server and stole Social data Security numbers for up to 280,000 people. Public health officials are more concerned about the volume of the medical records plus the types of information that could potentially be made public in any data breach. She told other officials and the media that, “We just have to be vigilant all the time and staff needs to understand all of the implications.”

Hester said, the clinic is implementing new data procedures and re-training staff to guard against the future data loss to computer hackers and for further data security needs. The changes which are brought about in the health clinic regarding the computer security software include ending the policy of printing and shredding patient appointment records, he said. Despite, investigations which were carried out internally, Hester said it is still not clear about the incident that happened to the Granger clinic records.

The documents in Granger’s book records, which represent only a fraction of the estimated 60,000 patients, were thought to have been well guarded by a computer security software, but the files could not be extracted at the time of shredding.

Hospitals can secure themselves with Alertsec

Organisations and hospitals, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute. Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Alertsec Xpress’s Check Point Full Disk Encryption is used by over 4 million users worldwide.