While convenient, portable devices come with a great deal of risk. No organization wants to imagine their portable devices getting lost or stolen, however it happens. If appropriate safeguards are not in place to protect those devices, a serious breach could occur. Unfortunately for Durango Family Medicine, this nightmare came true when a portable external hard drive went missing from their office. An article on The Durango Herald discusses the breach and what information may have been compromised.
According to a letter sent out by attorney Terry Cipoletti of Caplan & Earnest LLC on June 6th, former patients of DFM were notified of a data breach of their private health information. The incident occurred on April 7th, when DFM discovered a portable external hard drive was missing from their office. The external hard drive contained patient information, including medical conditions and social histories.
As healthcare providers of DFM merged with Mercy Regional Medical Center to form Mercy Family Medicine, previous records of DFM needed to be stored on an external hard drive.
The type of information contained on the missing hard drive included electronic patient charts that contain: patient names and ID numbers, dates of birth, addresses, phone numbers, insurance carriers, dates of service and certain clinical information such as medical problem lists, vital signs, diagnoses and medical conditions, allergies, medications, progress notes, admission and discharge notes, operative report notes, lab and/or diagnostic study results, social histories, letters of referral and consultation notes.”
Cipoletti explains in the letter that the external hard drive was the only device that went missing from the site and that law enforcement is aware of the incident.
Following the incident DFM has improved their security measures for the remaining portable external hard drives by encrypting them and storing them in safe deposit boxes. In addition, employees owning portable electronic storage devices have read and approved of updated procedures as an additional measure for safeguarding the electronic patient records.