The incident at Massachusetts eHealth collaborative involves the theft of a laptop containing protected health information(PHI) from an employee’s car. Even though the laptop was a part of a professionally managed enterprise network with strong username and passwords with password protection for the patient files as well, the files containing PHI were not encrypted and hence were vulnerable. Dr. Tripathi recounts in detail all that transpired from the time the laptop was stolen to the point where the case was officially closed by OCR( office of civil rights).
HIPAA compliance requirements and Massachusetts state laws take the security and privacy of patient health information very seriously. I blogged about consequences of medical identity theft, the importance of patient data security and protection and recovery of mobile devices in my previous blogs. Massachusetts eHealth Collaborative paid almost $300,000 to cover various costs associated with dealing with the incident, not to mention the time lost in the process. Potential loss of reputation for the physician practices involved, and most importantly, the risk to the patients whose medical records were affected are other significant consequences to be considered. Not all organizations can survive these kind of adverse consequences.
Dr.Tripathi’s account of his data breach incident experience is a must read for all healthcare practices, other covered entities, business associates and their contractors.. I thank him for sharing his experience. I hope that his experience will serve as a wake up call to all healthcare practices to take the necessary steps to ensure the security and privacy of their PHI at all times. Hoping or believing that data breach won’t happen to your practice is not a strategy I would recommend.