Why was a dermatology practice fined $150,000 for a lost thumb drive?
A Concord, Massachusetts dermatology practice was recently fined $150,000 due to a lost thumb drive. While a lost thumb drive might seem innocuous, this particular one was a healthcare practice nightmare simply because of its contents. According to HIPAAOne, the thumb drive contained “unencrypted and contained the electronic protected health information of about 2,200 individuals.”
The thumb drive wasn’t just lost; it was stolen. An employee of Adult & Pediatric Dermatology, P.C. reported that the device was stolen out of a vehicle and was never recovered. The penalty was swift and warranted, as the practice “didn’t identify it in a HIPAA risk analysis nor had it managed the risk so its patients’ data was protected.”
From medical records to insurance forms to prescription services, the healthcare business is a networked environment, allowing patient information to be shared and managed by a variety of parties and from a number of endpoints, each with their own level of security for protecting that information.
Maintaining the security of patient data is a complex proposition that affects every employee of a healthcare facility, every area of its IT system, and all vendors, partners, and insurers that work with the healthcare provider.
To an identity thief, medical data is particularly valuable, as it enables them to illegally obtain medical goods and services or sell the sensitive information.
It’s imperative that organizations implement healthcare data security solutions that will protect important assets while also satisfying healthcare compliance mandates.
Adult & Pediatric Dermatology, P.C. was given a corrective plan to implement a risk analysis to mitigate security risks. In addition, it was told to provide the Office of Civil Rights an implementation report once the plan has been finished.
Here is where a data protection policy, which is periodically reviewed, should be in place to avoid breaches of any kind. Access to personal information must be controlled and staff made aware of their obligations. In the case of Adult & Pediatric Dermatology, the transport of data should have been better protected. Steps should also be taken to ensure recovery or destruction if data is lost. Staff must be aware of the importance of notifying a breach to the appropriate person in the organization so that the extent of any damage may be limited.
As long as it remains profitable for hackers and thieves to conduct attacks on healthcare organizations, the attacks will continue. All healthcare organizations can do is to improve their defenses and make it harder for hackers to succeed.
Legal Shred protects our customers by providing secure paper shredding and hard drive destruction under the confines of HIPAA laws, as well as other federal and state destruction laws.
- Guidelines for Medical Record Shredding
- Avoid Healthcare Data Breaches: Shred Sensitive Documents
- How Costly Is a Data Breach?
- The Yahoo Data Breach: What Have We Learned?
- Industries We Serve: Healthcare