Liz Austin Peterson of the Houston Chronicle reports:
Confidential medical information for about 1,200 Harris County Hospital District patients may have been compromised when an electronic device used to store the data was lost or stolen, district officials said Wednesday.
An employee transferred the information onto the device in order to complete a project away from the office and now cannot find it, hospital district spokesman Bryan McLeod said in a brief written statement.
Full story – Houston Chronicle
What reason would a low level employee have to download patient’s PRIVATE information on a flash stick? If the employee had to work on a special project, the work should have been done at the office. What kind of special project? Isn’t it mandatory that healthcare providers provide training to employees on a yearly basis regarding protected information (even low level employees should be included)
We’ve seen a ton of breaches caused by employees in all sectors taking personal information home to work on. Remember the theft of a laptop containing personal info on 26.5 million veterans from an employee’s home? And In the business sector, an employee managed to steal personal info on 2 million customers because even though the company had tried to prevent such theft by making it impossible to download data to flash drives, they had failed to secure one particular computer that way and the thief/employee reportedly took advantage of that.
Do you ever wonder how many physicians and healthcare providers carry patient info with them on PDAs and then lose the PDAs without ever letting us know?
We still have a loooooong way to go on protecting personal information. In this case, I’d want to know what policies the facility had in place. Were the policies adequate but an employee violated them, or weren’t the policies adequate to begin with?