Risk of Using USB Drives to Store PHI Emphasised by Data Breach
The Man-Grandstaff VA Medical Center located in Spokane, WA has noticed that two USB drives containing the protected health information of almost 2,000 veterans have been illegally taken.
The two devices were being used to save data from a standalone, non-networked server that was being put out of use. One of the devices was the master drive used to transfer the medical center’s Anesthesia Record Keeper database to its virtual archive server. According to a statement released by the medical center, that transfer had been carried out in January. It is unclear why the database was still held on the drive.
The devices were taken on July 18, 2017 from a contract employee while on a service call to a VA hospital located in Oklahoma City.
Man-Grandstaff VA Medical Center could not determine exactly what information was saved on the USB drives, although the database on the virtual archive server was reviewed and found to contain full names, addresses, phone numbers, surgical information, insurance details, and Social Security numbers.
1,915 people who have possibly been impacted are being alerted regarding the breach by mail and have been offered credit monitoring services for 1 year without charge.
In September, the same medical center revealed another data breach had taken place. An unencrypted laptop computer that was operating as an interface with a hematology analyzer was discovered to be missing. The data on the laptop held names, dates of birth, and the Social Security numbers of approximately 3,200 veterans. After that breach, the medical center implemented a system that allows devices to be remotely erased in the event of loss or theft.
Other HIPAA Compliant Options
While moving or storing data on small portable devices such as USB, pen, or zip drives is convenient, the devices are simply misplaced, lost, or stolen. The loss of a USB drive including PHI is a reportable breach and one that could possibly lead to a significant regulatory fine.
There are now many cloud-based storage options that permit data to be simply accessed and shared. Covered group still using these small portable devices to store PHI should consider banning the use of the devices and changing to HIPAA-compliant cloud-storage.
Before using any cloud storage service, HIPAA covered groups should obtain a completed, HIPAA-compliant business associate agreement and guide employees on the correct use of the storage platform. Alternatively, secure, HIPAA-compliant text messaging platforms can be used to send PHI safely.
If the use of USB drives is unavoidable, any PHI held on the devices should be encrypted to eliminate unauthorized access in the event of loss or theft, or a different security measure that provides an equivalent level of security.