The Outer Banks Hospital alerts former Eastern Carolina Cardiovascular patients of lost identity and medical info

Another entry for the “Why is this still happening in 2016?” collection.

Think long and hard – and then think harder – about whether you should be using thumb drives to transfer unencrypted protected health information.

Rob Morris reports:

Personal data for patients over a period of 12 years might be at risk after two thumb drives went missing during the transfer of computer files from Eastern Carolina Cardiovascular to The Outer Banks Hospital.

Read more on The Outer Banks Voice. It sounds like the hospital is responsible for this one:

“The Outer Banks Hospital recently acquired certain assets of the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular P.A.,” a hospital statement released Friday said.

“We moved those assets on June 20-21, to The Outer Banks Hospital. On June 22, 2016, we discovered that two flash drives containing patient information went missing.

So who decided transfer by thumb drive was a secure method for transmitting PHI? And why weren’t the data at least encrypted if you were using thumb drives? The following statement by the hospital suggests that someone may not have followed policy or procedure:

Data Privacy Event Affects Cardiopulmonary Rehabilitation Patients

Written By  Amy Montgomery, The Outer Banks Hospital  on  Aug. 19, 2016

Nags Head, NC – The Outer Banks Hospital is providing notice of a recent data event that may have compromised the security of personal information relating to current and former patients who received treatment at the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular, P.A., located in Kitty Hawk, NC, from 2004 until June of 2016.

The Outer Banks Hospital recently acquired certain assets of the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular, P.A. We moved those assets on June 20-21, to The Outer Banks Hospital. On June 22, 2016, we discovered that two flash drives containing patient information went missing. We immediately began working diligently to investigate and to mitigate the potential impact of this incident to determine whether any sensitive information was affected.

While there is no indication the information has been misused, we determined that current and former patient information was located on one or both of the flash drives, and we are providing written notice to those individuals for whom we have contact information. The flash drives may have contained the following categories of information: Social Security number, emergency contact number, mental health information, insurance ID number, diagnosis, health history information, patient account number, medical record number, referring physician name, and demographic information.

“This is not consistent with our privacy practices, and we are truly sorry that it occurred,” said Ronnie Sloan, president of The Outer Banks Hospital. “Be assured that we do have policies and procedures in place to allow for appropriate action in response to the inappropriate use, access, or disclosure of our patient’s medical information, and that we have taken steps to address this matter.”

As part of The Outer Banks Hospital’s commitment to the security of personal information, third-party forensic investigators have been brought in to help investigate the incident and the hospital began notifying affected patients by mail on Tuesday, August 16, 2016. As the investigation into potentially affected patients continues, the hospital expects to identify and send letters to the remaining patients whose addresses are on file within the next few weeks. As an additional precaution, The Outer Banks Hospital is offering affected individuals access to one (1) year of free credit monitoring and identity theft restoration services.

The Outer Banks Hospital has established a dedicated assistance line for individuals to ask questions or learn additional information regarding this incident. Individuals can reach this assistance line by calling
1-866-775-4209. If you believe you may have been affected, but did not receive a letter, please contact this assistance line.

The Outer Banks Hospital encourages patients who believe they may be affected by this incident to remain vigilant by reviewing their account statements and monitoring free credit reports for suspicious activity. At no charge, an individual can also have these credit bureaus place a “fraud alert” on their file that alerts creditors to take additional steps to verify their identity prior to granting credit in their name. The contact information for the major consumer reporting agencies is below:

Equifax
P.O. Box 105069
Atlanta, GA 30348
800-525-6285
www.equifax.com

Experian
P.O. Box 2002
Allen, TX 75013
888-397-3742
www.experian.com

TransUnion
P.O. Box 2000
Chester, PA 19022
800-680-7289
www.transunion.com

Individuals can obtain information about fraud alerts, preventing identify theft, and the steps they can take to protect themselves, by contacting the Federal Trade Commission or their state Attorney General. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh NC 27699-9001; (919) 716-6400; and www.ncdoj.gov. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.ftc.gov/idtheft/; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.

Patients of the OBX Cardiopulmonary Rehabilitation program of Eastern Carolina Cardiovascular, P.A., can find information about the steps to take if they believe their information may be affected at https://www.theouterbankshospital.com/.

The number of patients being notified was not disclosed in the statement or local media report. This post will be updated when the number is revealed.

Update: This incident was subsequently reported to HHS as affecting 1,000 patients.

About the author: Dissent