Psychiatric Hospital Loses Backup DataTapes Containing Sensitive Information Not Encrypted
McLean Hospital, a Harvard-affiliated psychiatric facility in Belmont, Mass., has reported the loss of four unencrypted backup tape drives containing personal information on 12,600 individuals, including deceased patients.
"It is a very serious breach, because this information is extremely sensitive," says Deborah Peel, M.D. , a practicing psychoanalyst and founder and chair of the advocacy group Patient Privacy Rights.
"The fact that the back-up tapes were not encrypted is a serious data security breach," she says. "You'd think Harvard would hold itself to the highest standards of data protection, especially because it has long attracted VIP patients, scholars, and celebrities. But no."
Information at Risk
On May 29, a hospital employee reported that four backup data tapes related to the Harvard Brain Tissue Resource Center, or HBTRC, located at the facility were missing, a hospital spokeswoman tells Information Security Medial Group.
"It took a while to understand the scope and type of information contained on the backup tapes," she says. The hospital finally determined that the lost unencrypted storage devices contained information on 12,600 individuals, including some of the hospital's deceased patients and other individuals who donated brain tissue for medical research, or who had registered as potential donors after death, she says. Typically, the donors were patients with various psychiatric conditions or neurodegenerative diseases, and sometimes their family members, she adds.
The information contained on the tapes includes names, dates of birth, diagnoses, and, in some cases, Social Security numbers. However, the hospital says in a statement the incident did not involve any patient information from its medical records system.
McLean Hospital is offering one year of free credit monitoring to affected individuals. The hospital says it has no evidence that any of the information on the tapes has been accessed or used inappropriately. "It would take specialized software, equipment, and technical expertise in order to access the information on the tapes," the hospital says.
In the wake of the incident, the hospital has implemented new procedures relating to the security of its HBTRC research backup tapes, including the use of encryption, and is making enhancements to its process for the handling and storage of the backup tapes, according to its statement. The McLean spokeswoman, however, declined to provide details of how the hospital is bolstering its information security procedures.
McLean Hospital is part of Partners HealthCare System, an integrated health delivery network that also operates several other Boston area hospitals, including Massachusetts General. Partners in April reported another breach affecting 3,300 individuals. That incident involved a phishing attack late last year that targeted workforce members who were tricked into providing credentials in response to the email, believing the messages were legitimate, Partners said.
Partners said a comprehensive review of the affected email accounts determined that some of the exposed emails contained patients' information.
And back in 2009, a Massachusetts General Hospital employee lost on a subway train paper documents that included information on 192 patients with HIV/AIDS. In February 2011, the hospital and its physicians organization agreed to pay a $1 million settlement and taking corrective action.
Higher Standards Needed?
The fact that health data breaches involving sensitive patient information keep happening indicates that the bar still isn't set high enough for health information security and privacy at many organizations, says Peel, the privacy advocate.
"Perhaps all holders of health records should be required to have external audits at least annually to prove they adhere to the highest data security standards, and lose accreditation if they are not up to standard," she says. "Clearly increasing penalties for breaches hasn't made a dent at all.
"We require banks to prove they use state-of-the-art data security to open their doors. Maybe if healthcare institutions had to prove their data security protections are as tough as those required of banks, the culture might change. Maybe we need more regulatory oversight."