NEW CONNECTICUT DATA BREACH IS A PERFECT EXAMPLE OF DATA SECURITY FAILURES

The Connecticut Attorney General just announced that personal health information and protected health information for over 9,000 Hartford Hospital patients was lost in June.   http://www.ct.gov/ag/cwp/view.asp?Q=508726&A=2341.  A laptop carried by an  EMC subsidiary employee was reportedly stolen. The State AG announced that the unencrypted information on the laptop contained names, addresses, dates of birth, social security numbers, Medicaid and Medicare numbers and medical records numbers as well as other medical treatment information.  The vendor was performing a quality improvement on hospital readmissions.

This breach has red flags all over it for procedures that a medical provider or covered entity should NOT do with their PHI.  First, the information was unencrypted.  Second, the information contained not just protected health information but full social security numbers as well.  Third, the unencrypted information was provided to a third party vendor.  Fourth, the vendor was allowed to download the PHI onto a portable personal laptop and presumably take it off hospital grounds.

As a result of the breach, the hospital has to answer a number of public questions from the State AG who is already demanding a copy of the hospital policies and procedure for data protection pursuant to HIPAA requirements as well as its business associates policies, procedures and agreements.  Hopefully, the hospital has all of its privacy policies and BA agreements in order or significant fines or settlement fees may be paid in the future.  The State AG is also demanding that the hospital provide the affected individuals with two years of credit monitoring services, identity theft insurance and pay for a security freeze to be placed and then lifted on the patient’s credit reports. 

This breach provides a perfect example for medical providers and their representatives to see how poor data security procedures can lead to embarrassing and expensive public questions from a State Attorney General.