Edwin Shaw employee loses unencrypted flash drive with 975 patients’ info
An anonymous site visitor kindly pointed me to this item that was in the Akron Beacon Journal last week:
If you went to Akron General Edwin Shaw Rehabilitation hospital in 2010 or 2011, expect to receive a letter from hospital officials saying that some of your information may have been compromised.
Officials said the data — 975 patient names and some medical record numbers, dates of service, names of insurance provider/referring provider and type of treatment received — are so generic that they are unlikely to lead to identity theft.
Wow, way to try to minimize your breach. Why was such old data on a flash drive that was taken off-premises? They don’t seem to explain that.
Read more on Ohio.com. Here is the hospital’s full notice, as posted on their web site on April 22:
Notice Regarding Information Breach
On February 24, 2016, Edwin Shaw Rehab leadership became aware that a “flash” drive device containing limited protected health information belonging to some patients who received services in 2010 or 2011 had been inadvertently misplaced or disposed of at a February 19, 2016, business-related event, which was closed to the general public. The device was secured in a zippered day planner that an employee mistakenly left behind. There is no evidence to suggest that the device or any of its contents have been accessed or used improperly.
Do you really think a drive is “secured” if it’s in a zippered day planner? Oh well, let’s continue….
A thorough assessment was conducted once the employee discovered the day planner was missing on February 24, 2016. The information that was documented on the “flash” drive included one or more of the following types of information about patients: patient names, medical record number, date(s) of service, name of insurance provider, referring provider and type of treatment received. The device did not include any credit card, debit card, social security numbers or bank account numbers; nor did the device contain patient addresses, dates of birth or phone numbers.
But why was that old data on a flash drive outside of the offices? Was it being used at the business meeting? They provide no explanation for why these data were there and no explanation for why the drive wasn’t at least encrypted.
We want to ensure patients who were included on the “flash” drive are notified. This week, we sent letters to any patients whose information was on the device. In that mailing, we also provided educational material and information to contact us if they have additional questions.
Edwin Shaw policies and procedures prohibit the storage of patient information on the type of device involved. We take this matter very seriously and have taken additional steps to help prevent this from occurring again. This includes disciplinary action with the involved employee and mandatory training for the entire department to ensure they understand their obligations for protecting patient information and compliance with hospital policies.
Well, that’s good, but it still doesn’t explain why this happened.
Edwin Shaw Rehab is committed to providing the highest level of care for its patients, while protecting the privacy and security of their personal information. We regret this incident occurred and any inconvenience or concern this may cause to some of our patients. Should patients have any questions, they can contact us at [email protected] or by phone at 330.344.4722 or by mail to: Edwin Shaw, Attn: Compliance Office, 405 Tallmadge Rd., Cuyahoga Falls, OH 44221.