A Privacy Breach

Today, Beth Israel Deaconess and UCSF issued press releases about a complex situation.

Over a year ago, an employee of BIDMC who had authorized access to data for quality improvement activities placed clinical data (not financial or social security number data) for approximately 2,900 patients on a thumb drive. The employee left BIDMC and went to work in California for UCSF. While at UCSF, the employee copied the thumb drive to a UCSF owned laptop in order to demonstrate quality improvement reporting. The laptop was stolen, then recovered. There is no evidence that the data on the laptop was accessed.

BIDMC takes this situation very seriously and notified the patients, Health and Human Services, and the media.

As with other challenging situations I've discussed such as the CareGroup Network Outage and the Limitations of Administrative Data, it is my intent to openly share lessons learned with my colleagues and the industry. By writing about the process, I hope to encourage policy and technology improvements at healthcare institutions throughout the country to protect privacy.

A few thoughts

1. Make sure you have a policy requiring that all mobile storage devices be secured. BIDMC has a written policy and is revising it to be even more restrictive.

2. To further mitigate risk, encrypt all laptops. BIDMC has implemented McAfee Safeboot for this purpose. Harvard Medical School has licensed PGP Whole Disk Encryption for this purpose.

3. Educate employees about the policy and technology best practices to protect privacy. A learning management system is great for this.

4. Sanction employees who violate the policies

5. Implement new technologies that scan/restrict data transfers in the organization i.e. scan email for medical record numbers or patient identified information sent non-securely.

The combination of strong policies, state of the art technology, and education is required to protect patient data.

In this case, an authorized employee took data in violation of policies and placed it on technology not controlled by BIDMC. Likely, the laptop data was not accessed but you can be sure that additional education, broad communication with patients, and close collaboration with government and the media will be our next steps.