The nonprofit Family Planning Council in Philadelphia
has reported that a USB flash drive containing information on 70,000 patients
was stolen in December and has not been recovered.
The council provides funding
to Philadelphia-area health care organizations offering family planning and
reproductive health services such as HIV and STD screening, cancer screening
and teen pregnancy prevention. It discovered the breach Dec. 28 and reported
the incident to the Philadelphia Police Department.
A former Family Planning
Council employee, Kelly Len Stanton, 41, was arrested Feb. 9 on charges related
to the flash drive theft, Tasha Jamerson, a spokesperson for the Philadelphia
District Attorney's office, told eWEEK.
Stanton was charged with
burglary, theft, criminal trespass and receiving stolen property, Jamerson
said. As of April 14, he's being held on bond while awaiting a trial. A
pretrial conference is scheduled for April 21, Jamerson said.
Sarah Grambs, a spokesperson
for the Family Planning Council, confirmed to eWEEK that Stanton's employment
at the organization ended Dec. 28, the same day the breach was discovered.
Stanton was a peer counselor
in the council's HIV program, Melissa Weiler Gerber, the council's executive
director, told the Philadelphia
Inquirer.
The theft occurred between
Dec. 23 and Dec. 27, and the council delayed notifying patients and the public
until April at the request of the police department and Philadelphia District
Attorney's office.
The data at risk belonged to
many health care providers for which the council processes data for reporting
and billing purposes. The council notified these providers Jan. 13. They
include Planned Parenthood Southeastern Pennsylvania and The Children's
Hospital of Philadelphia.
Patients with exposed information
on the flash drive had received reproductive health services between Oct. 2,
2008, and Nov. 30, 2010. Data on the flash drive included patient name,
address, phone number, Social Security number and date of birth. Data on the
drive had not been accessed, the council believes.
As is customary for health
care companies suffering data breaches, the council is offering free credit
protection and monitoring to affected individuals.
To prevent future data
breaches, the council will require encryption on removable storage devices,
retrain staff and increase building security.
The Family Planning Council
incident is just the latest in a series of flash drive data breaches to be
reported. On Feb. 23, Henry
Ford Health System in Detroit notified the public of a lost flash drive
containing information on 2,777 patients, and on Sept. 20, insurer AmeriHealth
Mercy reported a missing flash drive that stored data on 280,000 Medicaid
members.
The alarming pattern of
breaches shows a real need to take preventive measures before these incidents
occur, according to Liesl Schwoebel, manager of global strategic B2B marketing
for Kingston Technology, a major flash drive manufacturer.
Health providers are often
hesitant to implement security changes due to cost, Schwoebel told eWEEK.
The stolen flash drive at
Family Planning Council was simply password-protected rather than encrypted,
Schwoebel noted.
Steps companies could take
to better secure data include encrypting the devices, monitoring data transfer
on the drives using back-end management software and creating an audit trail.
"It's a bit
intimidating for health care organizations to understand what is the right
level of encryption for what they need," Schwoebel said. "There are
different types of drives that offer different levels of security, and they
should work with someone to analyze what's the correct level of security they
need for their data and put together an overall plan to make sure that the USB
drives they do provide to their customers meet the standards for data loss
prevention."
Health Care IT News & Reviews 
