Protected Health Information of 2100 Patients Exposed After 2 Hard Drives Stolen

Jack Murtha

The Chesapeake Regional Healthcare data breach emphasizes the wide-ranging threat to patients’ medical records.

Image has been cropped and resized. Courtesy of Chesapeake Regional Healthcare.

If the steady stream of healthcare data breaches shows anything definitive, it’s that protected health information is in constant danger—from any number of different kinds of security lapses and attacks.

A few days ago, for instance, the Virginia-based health system Chesapeake Regional Healthcare (CRH) informed 2100 patients that their protected health information might have been exposed after the institution lost track of 2 unencrypted portable hard drives. Data regarding patient names, birth dates, medical record numbers, demographics, prescription medications, and surgeries and procedures performed were all stored on the hard drives, according to the organization.

But the electronic devices did not contain social security numbers, home addresses, or billing details, the health system noted.

>> Read: The MyFitnessPal Data Breach Must Resonate Beyond Its Userbase

“CRH is adding improvements to safeguard portable hard drives and has enhanced company policies and procedures to prevent future incidents,” the institution said.

A media representative for Chesapeake didn’t immediately respond to an email requesting comment and additional information.

Whether a thief stole the hard drives from the health system is unclear. But after performing its own investigation, CRH contacted law enforcement, according to the announcement.

Although CRH owns 2 hospitals and dozens of additional facilities, the data breach affected just 1 arm of the health system: the CRH Sleep Center in Chesapeake, Virginia. Patients who received care there between April 2015 and February 2018 were exposed in the incident, according to the institution.

CRH learned of the data breach in early February and published a corresponding press release 2 months later.

The health system has offered a year of free credit monitoring and identity theft protection services to affected patients, who will “receive assistance if their electronic medical records are discovered to have been used inappropriately,” according to CRH.

The data breach doesn’t fit the clichéd vision of a black-hat hacker breaking into a network through a cybersecurity vulnerability, but many of these incidents, in fact, occur through low-tech holes. Indeed, poorly designed mailers have exposed thousands of patients’ protected health information over the past year. (In Massachusetts, roughly 70,000 patients alone fell victim to this old-school snafu.) Errant emails have also compromised patient data in recent months, as have any number of incidents involving loss and theft.

It all points to the fact that data threats can come from anywhere and everywhere.

In the CRH case, it’s unclear who caused the data breach. At this time, there’s no indication that it was an employee. But when healthcare organizations try to shore up their defense systems, they must consider inside threats. As noted in report after report, employees have stolen or improperly accessed sensitive medical data time and again.

Get the best insights in healthcare analytics directly to your inbox.

Related

Threats to Health Data Often Come From Inside, Report Finds

The Worst Healthcare Cybersecurity Breaches of 2017

After Failing to Avert Data Breach Lawsuit, CareFirst Gets Hacked Again