Data Breach Underlines Threat of Utilizing USB Drives to Save PHI

The Man-Grandstaff VA Health Complex in Spokane, Washington has found 2 USB drives having the PHI of nearly 2,000 old-timers have been stolen.

The two appliances were used to save data from a separate, non-networked server which was being taken out. Among the appliances was the master drive utilized to shift Anesthesia Record Keeper database of the medical center to its virtual archive server. As per a statement released by the medical center, that displacement had happened in January. It’s not clear why the database was on the drive even now.

The appliances were stolen on July 18, 2017, from a bonded worker when on a service call to a VA hospital in Oklahoma.

Man-Grandstaff VA Health Complex was unable to decide precisely what info was saved on the USB drives, even though the databank on the virtual archive server was examined and found to have full names, phone numbers, addresses, insurance information, surgical information, and Social Security numbers.

1,915 people who have possibly been impacted are being informed of the breach by post and have been provided credit checking facilities for 12 months free of charge.

In September, the same medical complex declared another data breach had happened. An unencrypted laptop which was utilized as a crossing point with a hematology analyzer was found to be misplaced. The files on the laptop contained names, the Social Security numbers and dates of birth of roughly 3,200 old-timers. After that breach, the medical complex applied a system which lets appliances to be distantly cleaned in the event of theft or loss.

HIPAA Compliant Substitutes to USB Drives

Although storing or transporting data on small moveable appliances like a pen, USB, or zip drives is suitable, the appliances are easily lost, stolen or misplaced. The loss of a USB drive having PHI is a reportable breach and one which might possibly lead to a substantial regulatory penalty.

There are now several cloud-based storage alternatives which allow files to be easily shared and accessed. Protected units still using these moveable appliances to save PHI must consider prohibiting the use of the appliances and shifting to HIPAA-compliant cloud-storage.

Before using any cloud storage facility, HIPAA protected units must get an initialed, HIPAA-compliant BAA and train workers on the accurate use of the storing platform. Otherwise, safe, HIPAA-compliant text messaging platforms can be utilized to communicate PHI securely.

If the use of USB appliances is not avoidable, any PHI saved on the appliances must be encrypted to avoid illegal access in the event of theft or loss, or a substitute safety measure which provides an equal level of safety.