Possible HIPAA Violations in Medical College of Wisconsin Breach
The Medical College of Wisconsin has issued a statement announcing a data breach that has affected approximately 400 of its patients.
WDJT Milwaukee, an affiliate of CBS, was contacted on Feb 28, 2015 by a spokesperson for the Medical College of Wisconsin detailing a data breach which exposed some confidential information of its patients. The breach occurred on February 15, 2015, when a document and a laptop computer were stolen from a physician’s car. The document contained information relating to approximately 400 patients. The laptop is understood only to have only contained the information of one patient.
It is not clear exactly what information was stored on the laptop computer or in document at this stage; although MCW has confirmed that no Social Security numbers or patient addresses were stolen.
In spite of legislation that requires data encryption is addressed, the healthcare industry has been slow to respond and use data encryption on its desktop computers, laptop computers and other portable storage devices. Data encryption ensures that if a device is stolen, no information can be accessed by unauthorized individuals. When it is not used, a laptop theft can compromise the data of thousands, if not hundreds of thousands of patient records.
HIPAA does not demand data encryption, only that it be addressed. If a similar level of protection can be provided by other means, healthcare organizations are entitled to use these as an alternative.
At The Medical College of Wisconsin, data encryption and other security measures are used in accordance with HIPAA regulations, yet these have been circumnavigated by a doctor.
According to the statement, “Firm policies are in place prohibiting the downloading of patient information to portable media, as well as the secured transport of documents containing patient information.” It went on to say “A violation of these policies occurred on February 15, 2015, resulting in the theft of a document containing private information on approximately 400 patients, as well as information stored on a laptop computer pertaining to one patient.”
All affected patients are now being contacted to advise them of the breach and the information that has been compromised, and also to alert them to the possibility that their information may be used inappropriately. The Medical College of Wisconsin has also confirmed that it has now taken steps to prevent further breaches of this nature from occurring.
It is clear that a privacy violation has occurred, although at this stage it is unknown to what extent HIPAA violations have occurred and who is responsible. HealthitSecurity.com proposes that the data on the laptop was not encrypted, which violates the privacy policies on the company website which state that electronic protected information (EPI) must be encrypted.