Bloodworks Northwest is notifying 1,893 patients that some of their protected health information (PHI) has been exposed after a document containing the information went missing from an employee’s desk.
Bloodworks Northwest is a blood bank and medical research institute based in Seattle, WA, serving over 90 hospitals in the region.
On March 13, 2019, Bloodworks discovered a list containing patients’ names, dates of birth, and medical diagnoses had gone missing from an employee’s desk. The document did not contain particularly sensitive information such as Social Security numbers or financial information. Employees immediately started an extensive search for the list, but could not locate it.
Although the incident ostensibly involves a physical document going missing, the Notice of Data Privacy Event on the Bloodworks website says “While we are unaware of any misuse of the personal information in the impacted email account, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.”
It is unclear whether this is an error or if an email account was also compromised. It is possible that this is a ‘standard message’ that prepared ahead of time for the event of a data breach and repurposed, but not altered, for this incident. The breach report submitted to the HHS’ Office for Civil Rights suggests the breach solely involved the loss of paperwork.
The Notice of Data Privacy Event statement also states: “Bloodworks takes information privacy and security matters extremely seriously and will remain vigilant in its efforts to safeguard and protect patient information, while taking any additional steps that may be necessary to mitigate and remediate this incident.”
Bloodworks has established a toll-free number for affected patients to learn more about the data breach and includes recommendations of best practices on their website for individuals to mitigate the risk of identity theft or fraud.
This incident highlights the importance of ensuring that physical PHI is also protected from theft or misuse. Much attention is given to ePHI and the risk of hacking incidents and cyber attacks. While these incidents do tend to affect more significant numbers of patients, that does not give HIPAA covered entities license to ignore the threats posed to physical forms of PHI. Careful consideration should be given to the Security Rule’s physical safeguards and how they should be implemented to ensure that all documents containing sensitive data can be protected.