Boston Children’s Hospital Health Data Breach
As reported by the Boston Globe, a Boston Children’s Hospital employee lost a laptop while attending a conference in Buenos Aires that contained a file with information about 2,159 patients, including names, birth dates, diagnoses and treatment information.
In line with HIPAA regulations, Boston Children’s has now notified patients and their families of the breach by e-mail. The hospital was also required to notify the media as the breach affects more than 500 people in one state.
In a recent article EHR Intelligence commented the following about the breach:
“Two things are immediately disturbing about the incident:
- Why is child patient data even on the laptop in the first place?
- What compelled the hospital staff member to bring a device potentially containing protected health information (PHI) out of the hospital, let alone the country?”
I think there are another two issues to add to that list:
- While the laptop was password protected it was not encrypted.
- The file was not saved to the hard drive but was on the laptop in an e-mail attachment when it was stolen.
To address the first point, all content should be encrypted based upon the presence of Protected Health Information (PHI). And to the second point, any e-mail attachments with sensitive information should also be encrypted to protect against misuse. To go one step further in preventing a breach like this, the PHI should not have been sent via email; rather it should be saved on an intranet with specific permission rules and prevention rules automatically applied.
It’s time we put health breaches like this behind us. Not only because of the risks it causes for the patients, but also because of the implications for the hospital.
Content compliance solutions that can automatically monitor to prevent situations like this are essential for healthcare and other organizations that handle personal information.
Check out the webinar recording on information security risks and penalties associated with HIPPA/HITECH and the measures health providers and insurers can take to protect PII and PHI.