HIPAA Privacy and Security Reminders – UT Physicians Laptop Goes Missing
On August 28, 2013, UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston (UTHealth) Medical School, announced that an unencrypted laptop computer containing some patient information was discovered missing on Aug. 2 from a locked closet in a UT Physicians orthopedic clinic.
What Was the Nature of the Information and How Many Individuals Were Affected?
UT Physicians reported that 596 individuals’ information was stored on the laptop. The specialized laptop computer attached to an electromyography machine included hand and arm image data from February 2010 to July 13. Patient information stored on the computer included names, birth dates and medical record numbers. There were no addresses, social security numbers, or insurance or other financial information stored on the laptop.
What Was Done to Mitigate / Remediate?
- UT Physicians began mailing letters today to 596 patients whose information was stored on the laptop on August 28th.
- Reportedly, encryption of all laptops has been the policy at UT Physicians and UTHealth for the last two years and all known laptops – more than 5,000 – have been encrypted.
- The medical group and UTHealth have taken steps to ensure that the missing laptop in the orthopedic clinic is an isolated incident.
- UT Physicians and UTHealth officials continue to work with law enforcement in their investigation.
- UT Physicians and UTHealth are conducting a physical search of all clinics and offices to ensure that there are no other unencrypted laptops or storage devices attached to medical equipment.
- They are tightening the processes for the purchase of medical equipment.
- UT Physicians and UTHealth have initiated additional review processes and inventories and invested in hardware, software and personnel to ensure that all personal information on UT Physicians’ and UTHealth’s computers and hard drives is encrypted.
What Should Organizations Do Next?
- Make sure all mobile devices containing PII and PHI (laptops, smartphones, portable USB drives, thumb drives, etc.) are encrypted
- Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
- Implement a regular sampling audit of devices to ensure encryption is installed and operational.
- Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities and controls have been considered.
What Resources Are Available to You?
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016