First the statement from Indiana University Health Arnett Hospital from December 31:
IU Health Arnett is committed to maintaining the privacy and security of personal information provided to us. Regrettably, this notice concerns an incident involving some of that information.
On November 20, 2015, we learned that an unencrypted portable storage device was missing from the Emergency Department, and an ongoing search continues. We immediately began an investigation and determined that the device contained spreadsheets with limited patient information from Emergency Department visits that occurred between November 1, 2014 and November 20, 2015. The spreadsheets may have included patients’ names, dates of birth, ages, home telephone numbers, medical record numbers, dates of service, diagnoses and treating physicians. The spreadsheets did not contain any Social Security numbers, financial information, or medical records and patient care will not be affected. We are continuing to search for the device but are informing you in the event we are unable to locate it.
This incident did not affect all IU Health Arnett patients; only those treated in the Emergency Department between November 1, 2014 and November 20, 2015.
IU Health Arnett has no reason to believe the information on this device has been improperly accessed or used; however, we sent letters to affected patients on December 31, 2015. If you believe you are affected but do not receive a letter by January 15, 2016, please call 1-888-653-5244, Monday through Friday between 9:00 a.m. and 9:00 p.m. Eastern Time.
We apologize for any inconvenience this may cause our patients. IU Health Arnett takes very seriously its obligation to maintain patient information secure, and we appreciate the trust our patients place in us. We are taking steps to enhance the protection of portable storage devices and are reviewing policies and procedures to minimize the chance of such an incident occurring in the future.
This is not their first reported breach. They reported one in May 2013, also involving Arnett, and one in 2012 involving Goshen. Then there was an earlier 2011 incident involving the School of Medicine, and another 2011 incident involving the School of Optometry. If you check HIPAA Helper, you’ll find a lot of entries, but many of them appear to be different agencies looking at the same incident, or individual or small-N complaints.
For the current incident, WBAA reports that 30,000 patients were notified.
So, will the FTC open an investigation? Isn’t the failure to adopt industry standards grounds for an enforcement action these days?