Boston Children’s Hospital Health Data Breach

May 29, 2012 |

As reported by the Boston Globe, a Boston Children’s Hospital employee lost a laptop while attending a conference in Buenos Aires that contained a file with information about 2,159 patients, including names, birth dates, diagnoses and treatment information.

In line with HIPAA regulations, Boston Children’s has now notified patients and their families of the breach by e-mail. The hospital was also required to notify the media as the breach affects more than 500 people in one state.

In a recent article EHR Intelligence commented the following about the breach:

“Two things are immediately disturbing about the incident:

  1. Why is child patient data even on the laptop in the first place?
  2. What compelled the hospital staff member to bring a device potentially containing protected health information (PHI) out of the hospital, let alone the country?”

I think there are another two issues to add to that list:

  1. While the laptop was password protected it was not encrypted.
  2. The file was not saved to the hard drive but was on the laptop in an e-mail attachment when it was stolen.

To address the first point, all content should be encrypted based upon the presence of Protected Health Information (PHI). And to the second point, any e-mail attachments with sensitive information should also be encrypted to protect against misuse. To go one step further in preventing a breach like this, the PHI should not have been sent via email; rather it should be saved on an intranet with specific permission rules and prevention rules automatically applied.

It’s time we put health breaches like this behind us. Not only because of the risks it causes for the patients, but also because of the implications for the hospital.

Content compliance solutions that can automatically monitor to prevent situations like this are essential for healthcare and other organizations that handle personal information.

Check out the webinar recording on information security risks and penalties associated with HIPPA/HITECH and the measures health providers and insurers can take to protect PII and PHI.





Back to Blog Home

Kurt Mueffelmann

Kurt Mueffelmann is the CEO of Cryptzone. He has over 20 years' experience in the software industry, and has led HiSoftware (acquired by Cryptzone in September 2014) to steady growth since 2006 with a portfolio of industry recognized, award-winning products. Prior to joining HiSoftware, Mueffelmann was Vice President and General Manager of both the Document Output Solutions and Business Process Solutions lines of business for Bottomline Technologies.He holds a BA degree in economics and political science from Fairfield University in Connecticut.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>