California’s Santa Rosa Memorial Hospital is reassessing its security strategy after an unencrypted USB drive containing the health information of approximately 34,000 patients was stolen from an employee’s locker on June 2.
Staff at the 278-bed hospital operated by the St. Joseph Health System (SJH) is currently informing the patients who saw their X-ray data compromised as a result of the theft at the hospital’s outpatient imaging center. Information contained in the stolen USB drive also included patient names, medical record numbers, dates of birth, dates of service and gender information.
While the hospital declines to comment on its policy regarding employees handling the personal health information of its clients, encryption and the employee’s designation and authorization until further investigation, reports affirm that the employee concerned had left her locker unlocked when the burglary took place.
The employee had kept the X-ray records on the unencrypted drive as a backup in preparation for the hospital’s transfer from the clinical information system (previously used by the Redwood Regional Medical Group) to an Electronic Medical Records (EMR), a company-issued press release stated, adding that the process transferred operations of the hospital’s imaging center effective as of April 1.
Moreover, SJH’s President Todd Salnas apologized for any inconvenience the patients and their families had incurred, adding that the hospital had enhanced its security measures and boosted its training strategy at its new Sotoyome Drive facility to prevent such an intrusion from happening again.
Additionally, Santa Rosa Memorial’s officials are offering a yearlong credit monitoring and identity theft protection service for the patients affected.
According to the Department of Health and Human Services (HHS), this is SJH’s third reported Health Insurance Portability and Accountability Act (HIPPA) breach. Interestingly, all the previous incidents also involved the theft or loss of unencrypted electronic devices, the HHS added.
In 2010, SJH’s St. Joseph Heritage Healthcare reported that 22 computers were stolen from its office, five of which contained protected health information of about 22,000 patients. Moreover, in 2013, a portable electronic device containing the protected health information of more than 1,000 patients was misplaced in SJH’s Redwood Memorial Hospital.