Detroit's Henry Ford Health System has begun notifying the 2,777 patients affected in a data breach involving a lost flash drive.
The Henry Ford
Health System in Detroit has started notifying by postal mail 2,777 patients affected
by a missing flash drive.
health system, founded in 1915 by auto pioneer Henry Ford, serves 102,000
The Henry Ford
Health System on Feb. 8 began its investigation of the Jan. 31 security breach
to determine the affected patients and what information the device held. The
health system is unaware of how the flash drive disappeared, but now knows that
patients tested at the hospital for a urinary tract infection from July 2010 to
October 2010 were affected.
drive held patient names, medical record numbers, the number of tests ordered,
test results, test dates and test locations. No Social Security numbers were on
the drive, however.
As part of a
"zero-tolerance policy" implemented following the Jan. 31 breach,
Henry Ford will suspend or terminate employees who leave computers, smartphones
or flash drives unsecured, the hospital system reports.
Within 90 to
120 days of its Feb. 23 announcement, Henry Ford also plans to encrypt all
electronic devices in its facilities and educate employees about how to
safeguard health data on both electronic devices and paper.
In the letter
to affected patients, the hospital offered them a year of identity monitoring.
Health systems must notify patients within 60 days of a breach of unsecured
security of our patients' health information is our top priority, but we need
to do a better job of securing information stored on electronic devices,"
Meredith Phillips, Henry Ford's chief privacy officer, said in a statement.
"Our patients deserve and expect that when we access their information or
store it on an electronic device for work purposes, it's done appropriately and
with the required security protections. Anything short of that breaches the
confidence that Henry Ford has established with its patients for almost 100
apologized for the incident. "The disappointing aspect of this situation
is that it was preventable," she said. "Common sense should tell you
that if you're carrying patients' health information on an electronic device,
it needs to be encrypted, period."
has been misused, according to Phillips.
In a similar
case, an employee at Keystone Mercy Health Plan and AmeriHealth Mercy Health
Plan, in Philadelphia, misplaced a flash drive on Sept. 20, placing at
risk the personal information of 280,000 Medicaid members.
Sept. 24, a laptop belonging to a Henry Ford employee and containing
information about 3,700 patients was stolen from an unlocked urology medical
office at the facility.
laptop did not have the proper security protections that we require for laptop
computers storing patient information," Phillips said in a November
held patient information related to prostate procedures from 1997 to 2008, and
included patient name, medical record number, date of birth, mailing and e-mail
addresses, telephone number, information on treatment and visits to physicians.
Like the flash drive lost in January at Henry Ford, the computer did not hold
Social Security numbers or health insurance ID numbers.
The Henry Ford Health System announced steps to educate
employees about protecting patient data stored on laptops. These seminars were
expanded to include other electronic devices following the January flash drive
Brian T. Horowitz is a freelance technology and health writer as well as a copy editor. Brian has worked on the tech beat since 1996 and covered health care IT and rugged mobile computing for eWEEK since 2010. He has contributed to more than 20 publications, including Computer Shopper, Fast Company, FOXNews.com, More, NYSE Magazine, Parents, ScientificAmerican.com, USA Weekend and Womansday.com, as well as other consumer and trade publications. Brian holds a B.A. from Hofstra University in New York.