A hard drive was sold to a German doctor without being wiped, exposing U.S. patient information

10 June 2013

Author Name Patrick Ouellette

A Montgomery, Maryland clinical social worker self-reported a patient privacy incident that occurred between late in 2012 and early 2013. Kara Falck recently sent a letter to the Baltimore Office of the Attorney General (OAG) that explained why seven clients’ data was exposed due to a vendor’s poor patient privacy procedures.

Falck had been using an Other World Computing (OWC) hard drive to hold patient data (it’s unknown what exactly was on there) for about a month until it stopped working and needed to be returned to OWC on Nov. 28, 2012. While Falck expected the patient data on the device to be wiped clean, OWC ended up selling it to a German doctor named Gerhard Binker with the patient data still viewable. Binker emailed Falck in January to alert her that there was still patient data on the device.

Falck had never encrypted the drive and instead relied upon her PC’s password protection to secure the data, so she bought the hard drive back from Binker. She also sent each of the patients whose data was on the hard drive a letter explaining that the vendor had resold the hard drive without wiping it fully.

It’s commendable that Falck did right by her patients in a transparent manner and did her best to ensure their data wasn’t exposed and misused. But more than anything else, this story sheds light on the fact that there is still a great deal of misinformation in the healthcare industry in regards to patient privacy practices and technical safeguards for clinical data. Falck is open about not being well-read on encryption, but is working toward being more knowledgeable on the subject. But the real responsibility here should be directed toward OWC, which is clearly lacking in patient privacy protocols. If Binker hadn’t email Falck and he wanted to turn the data in for profit, he could have done so with great ease. OWC wouldn’t have noticed either way and seemed to turn a blind eye to the risks associated with exposed patient data.

Information from PHIPrivacy.net was used in this article.

LabCorp has also notified the Baltimore OAG that it was involved with a 115-patient data breach on March 15. On April 19, it sent a letter to OAG that a PC meant to be destroyed was stolen from a North Carolina facility.

Patient data on the computer included names, date of birth, and Medicare subscriber numbers, but it’s unknown how many patients of the 115 actually had protected health information (PHI) on the device.

Article Sourced From: http://healthitsecurity.com/2013/06/10/social-worker-tells-baltimore-oag-of-patient-data-breach/