HIPAA Horror Stories

The Lost Thumb Drive

one-minute read

A Tiny Storage Device Causes Big Privacy Breach

A Massachusetts dermatology practice learned the importance of protecting patient records after a federal investigation determined the business lost control of thousands of private medical documents.

When a complaint was made to the Office for Civil Rights (OCR), the Department of Health and Human Services’ investigative agency, that a thumb drive had been stolen from a car owned by a Adult & Pediatric Dermatology (APDerm) staff member, investigators knew the results could be devastating to patient privacy. The thumb drive contained the electronic protected health information (ePHI) of 2,200 patients.

APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire.

Privacy Breach Caused By Non-Compliance

The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

“As we say in health care, an ounce of prevention is worth a pound of cure,” said then-OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”

Breach Notification Failure Costs Are Huge

Following the investigation, APDerm agreed to pay $150,000 to settle the violation and participate in a federally monitored corrective action plan. APDerm agreed to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

Do you have a plan to manage all of your organization’s hardware containing ePHI, including laptops, mobile phones, thumb drives, and portable hard drives? If not, we’re here to help.

Photo by Charles Deluvio on Unsplash

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free