Liz Austin Peterson of the Houston Chronicle reports:
A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said Thursday.
[…]
“This is an egregious invasion of people’s privacy … but the history of privacy violations in the United States is that there’s all kinds of smoke, but very little enforcement of privacy laws,” said Dr. William Winslade, who teaches health law at the University of Houston.
The hospital district has released little information about the situation. On Wednesday, spokesman Bryan McLeod issued a brief statement to the Chronicle saying patients affected by the breach would receive a letter in the mail and would be allowed to enroll in a credit protection program at the district’s expense. The district has strengthened its policies and procedures regarding the use of transportable media devices, the statement said.
Harris County Judge Ed Emmett, who was briefed on the problem Thursday morning, described the situation as “the worst possible thing” imaginable. The data stored on the drive was not password-protected or encrypted and included “total files” ranging from names, birth dates and Social Security numbers to medical diagnoses and treatments, he said.
McLeod later issued a second brief statement saying the data on the device included the patients’ names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information. It also included the patients’ Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses.
[…]
More – Houston Chronicle