Missing Laptop Sees Protected Health Information of 3,725 Old-timers Disclosed

A withdrawn laptop earlier utilized by the Mann-Grandstaff VA Medical Complex in Washington has been found to be misplaced, possibly culminating in the revelation of confidential patient files.

The device was combined with a hematology analyzer as well as saved files pertained to hematology checks. The laptop computer was used from April 2013 to May 2016 but was taken out when it became useless. The laptop computer, which had been provided by a dealer, was substituted; nevertheless, an equipment register showed the appliance to be misplaced.

The appliance must have been given back to the dealer, even though the dealer has no evidence of the laptop computer ever being recollected from MGVAMC. A register of equipment at the MGVAMC laboratory verified the appliance was misplaced. A complete search of the medical facility was carried out but the laptop computer couldn’t be found.

It was impossible to tell precisely what info had been saved on the laptop, or the precise quantity of patients whose PHI might have been revealed. MGVAMC established all patients who presented samples for hematology checks during the days that the laptop computer was in use possibly had files revealed.

As per a statement issued by MGVAMC the kinds of information saved on the appliance would have included names, Social Security numbers, and dates of birth. 3,275 patients have possibly been affected and have been informed of the possible breach. Where appropriate, patients will be provided credit checking and identity thievery safety facilities.

Whenever equipment having electronic PHI is taken out, HIPAA-covered units should make sure all data is made indecipherable, unreadable, and otherwise can’t be rebuilt.

The physical protections specified in the HIPAA Safety Law – 45 CFR 164.310(d)(2)(i) – need protected units to implement procedures and policies to tackle the final nature of electronic PHI and/or the hardware on which it is saved, whereas 45 CFR 164.310(d)(2)(ii) needs protected units to apply methods for the elimination of electronic PHI from electronic media before the media are made accessible for re-use.

OCR suggests “abolishing the media (pulverization, disintegration, incinerating, melting, or shredding), clearing (using hardware or software creations in order to write media with non-sensitive information), or removing (degaussing or displaying the means to a powerful magnetic field to upset the recorded magnetic fields). If appliances are provided by sellers, the procedure for clearing the appliances before decommissioning must be discussed with the seller and plans developed correspondingly.

In reaction to this occurrence, the Mann-Grandstaff VA has created a new plan for disinfecting electronic media before decommissioning, disposal, or returning appliances to sellers to avoid more possible breaches of ePHI.