Remember the Boston Baskin Cancer Foundation breach involving the theft of a hard drive from an employee’s home? The breach affected almost 57,000 patients and employees. Here’s the summary of OCR’s investigation into the incident:
On December 2, 2014, a Boston Baskin Cancer Foundation employee’s laptop computer and external hard drive were stolen. The external hard drive contained the electronic protected health information (ePHI) of 56,000 individuals and included patients’ names, dates of birth, social security numbers, addresses, phone numbers, clinic medical record numbers, and the first and last dates seen by the clinic. The investigation concluded that the ePHI was copied and stored on an unencrypted external hard. The covered entity (CE) provided breach notification to HHS, affected individuals, and the media, and offered affected individuals complimentary credit monitoring. In response to the breach, the CE deployed software to prevent the downloading of unencrypted documents from computers to portable media. The CE implemented a policy requiring employees to create a passcode for their mobile devices. The CE also revised its risk management policy and established procedures for the removal of hardware and electronic media containing ePHI. After the breach the CE retrained staff and physicians on its HIPAA policies. OCR obtained assurances that the CE implemented the corrective actions listed above.
All too often, I don’t see where OCR requires an entity to actually harden their technical safeguards. In this case, though, it seems like the entity really made a number of improvements that would help reduce the risk of future breaches. Glad to see it!