The Henry Ford Health System in Detroit has started notifying by postal mail 2,777 patients affected by a missing flash drive.
The nonprofit health system, founded in 1915 by auto pioneer Henry Ford, serves 102,000 patients annually.
The Henry Ford Health System on Feb. 8 began its investigation of the Jan. 31 security breach to determine the affected patients and what information the device held. The health system is unaware of how the flash drive disappeared, but now knows that patients tested at the hospital for a urinary tract infection from July 2010 to October 2010 were affected.
The flash drive held patient names, medical record numbers, the number of tests ordered, test results, test dates and test locations. No Social Security numbers were on the drive, however.
As part of a "zero-tolerance policy" implemented following the Jan. 31 breach, Henry Ford will suspend or terminate employees who leave computers, smartphones or flash drives unsecured, the hospital system reports.
Within 90 to 120 days of its Feb. 23 announcement, Henry Ford also plans to encrypt all electronic devices in its facilities and educate employees about how to safeguard health data on both electronic devices and paper.
In the letter to affected patients, the hospital offered them a year of identity monitoring. Health systems must notify patients within 60 days of a breach of unsecured health data.
"The security of our patients' health information is our top priority, but we need to do a better job of securing information stored on electronic devices," Meredith Phillips, Henry Ford's chief privacy officer, said in a statement. "Our patients deserve and expect that when we access their information or store it on an electronic device for work purposes, it's done appropriately and with the required security protections. Anything short of that breaches the confidence that Henry Ford has established with its patients for almost 100 years."
Phillips apologized for the incident. "The disappointing aspect of this situation is that it was preventable," she said. "Common sense should tell you that if you're carrying patients' health information on an electronic device, it needs to be encrypted, period."
No information has been misused, according to Phillips.
In a similar case, an employee at Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, in Philadelphia, misplaced a flash drive on Sept. 20, placing at risk the personal information of 280,000 Medicaid members.
Meanwhile, on Sept. 24, a laptop belonging to a Henry Ford employee and containing information about 3,700 patients was stolen from an unlocked urology medical office at the facility.
"This laptop did not have the proper security protections that we require for laptop computers storing patient information," Phillips said in a November statement.
The laptop held patient information related to prostate procedures from 1997 to 2008, and included patient name, medical record number, date of birth, mailing and e-mail addresses, telephone number, information on treatment and visits to physicians. Like the flash drive lost in January at Henry Ford, the computer did not hold Social Security numbers or health insurance ID numbers.
The Henry Ford Health System announced steps to educate employees about protecting patient data stored on laptops. These seminars were expanded to include other electronic devices following the January flash drive breach.