The recent update to the HHS breach tool made me aware of a breach involving Georgetown University Hospital that affected over 1,500 patients.
The following statement was issued by Georgetown University Hospital, who kindly provided this site with a copy of the notification:
A USB thumb drive storing patient information was recently determined to be misplaced at Georgetown University Hospital. The unsecured thumb drive contained data on 1,526 people who were Georgetown University Hospital (GUH) patients between September 2004 and September 2009. We have no reason to believe the device was stolen or that any of the information will be misused. We do not believe that patients will be adversely affected by the loss of this thumb drive. The thumb drive did not store any addresses, social security numbers, and/or financial information and remain secure
The thumb drive was last seen September 9, 2011 but was not identified as missing until the morning of September 14, 2011 and is now presumed to be lost. After becoming aware of this matter GUH leadership immediately started a thorough investigation. Through the investigation GUH has determined that information related to patients of the Department of Laboratory Medicine was compiled for the purpose of investigating data that would be used for educational purposes. GUH is permitted to review medical information for research and educational purposes and is permitted to use USB drives to transport data. However the technician who compiled the data did not utilize the correct secure technology to protect the information, which is against hospital policy.
Data on the hard drive included patient names, medical record number, date of birth, blood type, date of blood test, blood test results and interpretation, brief clinical history and clinician name.
We are in the process of contacting all of the patients whose information was on the thumb drive. We believe no further actions are required of patients at this time.
We are taking strong and appropriate actions to prevent this kind of data loss from recurring and we are taking all the necessary steps to notify appropriate regulatory authorities, as well as re-evaluating our processes to ensure that we continue to use and disclose patient information only as permitted by law and in accordance with our Notice of Privacy Practices.
GUH values the privacy of all medical information as an important part of our commitment to the clinical care of our patients and our research and education missions. We view the protection of patient privacy as an essential component of our vision to be the Trusted Leader in Caring for People and Advancing Health and our mission to serve our patients.
For additional information, contact Marianne Worley, director of media relations at Georgetown University Hospital at 703-558-1287.
That statement, which is simply written and wonderfully clear, does not really match the entry on HHS’s breach tool, though:
Georgetown University Hospital, DC,”1,549″, 11/1/2011, Unauthorized Access/Disclosure,Paper
This was not a disclosure or unauthorized access. Nor was it an incident that involved paper records. And the incident didn’t happen November 1. Of course, it’s possible that the GUH employee who entered the data on the breach tool didn’t click the right buttons or had misunderstood the breach or reporting fields at the time of reporting. But I never expected to see a missing USB drive report based on the entry in the breach tool.
So what’s going on and how much can we trust the coding on the breach tool for analysis purposes?
And is it time for HHS to refine their reporting tool to provide more categories such as “lost or missing?” I guess it depends on how HHS and others see the purpose of the breach tool, but for myself, I’d like to see it be a little less vague/confusing on incident coding.