Summary of the breach
A laptop computer that had information about patients of Cincinnati Children’s Hospital Medical Center was stolen. Even though nothing was pointing to misuse of information that was in the computer, the Hospital has undertaken to notify the patients in their later dated May 28, 2010, offering to protect their identity without charges. The laptop was stolen from an employee’s vehicle a day before the Hospital management offered to protect the patients’ identities. The incident was reported to the police. The information in the computer was patients’ personal information like their names, their medical record numbers, and the services the patients received at the hospital. There was no information on the patient’s social security and telephone numbers. Moreover, there was no credit card information. Because the information in the laptop was password-protected but not encrypted, Cincinnati has undertaken to intensify its encryption practices.
Was the breach an administrative, technical, or physical safeguard?
The breach was technical because password protection of documents in a laptop does not make them safe. Passwords can be cracked leading to the theft of medical records, which are supposed to be secret. Encryption should have guaranteed the safety of the records even if they fell into the hands of the wrong people because the laptop would have been tracked. The technical team ought to have put in place an avenue for communicating safe electronic practice within the medical facility. The technical team should also have updated training to guarantee the safety of information regarding the patients to its employees (Gostin, 2001). If these were put in place by the health records technical team, the laptops should not have left the hospital premises in the first place.
How the breach was resolved
Remedial measures that were taken to counter the breach included strengthening encryption processes. No laptop computers were given to employees without being encrypted. The tracking process of the encrypted laptops was improved. Training to the employees was updated to entail communicating safe electronic practices within the hospital facility. Moreover, Cincinnati contracted the services of ID experts to help the patients whose information was in the stolen laptops. The victims were to enjoy a one-year membership upon which they would enjoy the services of fraud resolution representatives who would stop, assess, and reverse frauds. For one year, the patients were to get free access to the ID expert’s personnel and their online resources, which are both advisory and educative. The patients were to be advised on how to protect their private information after the theft of the laptop. In satisfaction with the requirement of the law, the department of health and human services, the family members of the victims, and the general public were notified using a press release and postings on the hospital’s website.
What I would have done to ensure the breach never occurred
I would have undertaken to appoint a security officer on both IRB and Privacy Boards to assess data protection needs and subsequently implement staff training and remedial measures to be taken in case of theft of patients’ records. I will also intensify the encryption and encoding of laptops that the hospital uses. In compliance with the law, I will immediately inform the patients about the loss of the records so that they guard against theft of their identity (IOM, 2000). I will also do security audits at regular intervals. Together with other health industry players, I will lobby so that the federal government encourages innovations that help enhance health information system security.
Reference List
Gostin, L. (2001). Health information: Reconciling personal privacy with the public good of human health. Health Care Analysis, 9, 321.
IOM (Institute of Medicine). (2000). Protecting data privacy in health services research. Washington, DC: National Academy Press.