On December 27, I blogged:
Four days after a computer was stolen from Inspira Medical Center Vineland, the hospital still can’t say whether there was any patient data on it?
The hospital issued a statement the next day saying that no patient data was on the stolen computers, but as I noted on January 17, when they announced an arrest had been made in the case on December 30:
When contacted Friday, another spokesman reiterated Inspira does not believe the stolen equipment contained patient information. “We are still reviewing to confirm that is correct,” spokesman Paul Simon said.
So more than three weeks after the theft, they still weren’t sure whether patient data was on the stolen computer(s)? That suggests a serious failure in safeguards and inventorying, as I suggested back in December 2013.
Now today, Don E. Woods reports:
Inspira Health Network plans on notifying 1,411 patients about a potential data breach after a former employee allegedly stole two computers from Vineland’s radiology department last December.
The health network is sending out letters this week to patients who had imaging studies at Inspira Medical Center Vineland from January 2009 to Dec. 23, 2013.
Inspira has reportedly tried to reassure that there is low risk of acquisition of PHI or misuse, even though:
By conducting an analysis of a similar computer to the ones stolen, Inspira determined that the hard drive may have contained patient information stored as temporary Internet files, including X-rays, scans, patient names, birth dates, patient numbers, dates of service, and even some cases of Social Security numbers.
It was also determined, according to Inspira, that it would be highly unlikely for anyone to retrieve this data from the discarded hard drive and that person would face “significant difficulties” retrieving the data.
Inspira notified the patients as a precautionary measure and continues to cooperate with the ongoing investigation.
Read more on NJ.com
There does not seem to be any notice linked from either Inspira’s or Vineland’s homepage.
This is probably a breach that HHS may wish to pursue as it points to the risks of not knowing whether PHI is on your devices or not. It also reminds us about the risks of retaining old patient data on devices. Why were data from 2009 still on the computers instead of being transferred to backup or storage?