The Washington University School of Medicine, St. Louis, has announced that a password-protected but unencrypted laptop computer was reported stolen from a physician at a healthcare conference in Argentina. The laptop held the records of about 1,100 surgery patients.
The data breach, which occurred on Nov. 28 last year, exposed patients' names, dates of birth, medical record numbers, diagnoses, types and dates of surgery, and, in 39 instances, Social Security numbers, according to a news release
All of the affected individuals were patients of the university's Department of Surgery, from 2002 to the present, the statement said.
“To help prevent something like this from occurring in the future, we are expanding our use of encryption on portable devices and re-educating our workforce members regarding the importance of handling patient information securely,” the medical school statement said.
There have been 525 breaches involving the records of more than 500 patients publicly reported on the website of the Office of Civil Rights at HHS and perhaps as many as 80,000 lesser breaches reported to the office since a federal breach notification law went into effect in September 2009.
Of the larger breaches, 42% have involved
some sort of unencrypted mobile device.
The security rule under the Health Insurance Portability and Accountability Act does not mandate encryption, but if the healthcare industry keeps going on its current path and not securing mobile devices, it might, said Michael “Mac” McMillan, founder of CynergisTek, an Austin, Texas-based security firm.
U.S. Sen. Al Franken (D-Minn.) held hearings last year on healthcare-records security and has said he plans to reopen them this year, McMillan said.
“If they really want Franken to crawl up their backside, that's certainly giving Congress the ammunition they need to say, 'You know, this isn't working. We need to make encryption mandatory,' ” McMillan said. “I think that's inevitably what's going to happen.”