Blue Chip Dental Data Breach (2015)

2,200 Blue Chip Dental patients have been notified that a backup system installed to safeguard patients' protected health information (PHI) has played a part in its exposure. The Social Security numbers, medical insurance information, names, and addresses of patients have potentially been compromised as a result of the loss of a portable storage device used to store data backups. Late last year, Blue Chip Dental implemented a backup system to better protect patient data. The backup system was installed "to store our digital information offsite in case of fire or other disaster to our building," according to the substitute breach notice placed on the company website. The backup system was part of a $25,000 digital security overhaul. On January 26, 2016, a portable storage device used for the backup system was discovered to have gone missing. No evidence has been uncovered to suggest data have been obtained or accessed inappropriately although the missing backup drive has now been declared lost. Blue Chip Dental contacted the firm used to install the digital security system and was initially told that data stored on the drive was not at risk of being exposed. However, three weeks later Blue Chip Dental was informed that was not the case, and data on the drive could potentially be accessed. It is not clear from the breach notice whether the system included data encryption for backup files and an error had been made configuring the system, or whether the backup system did not encrypt data. In response to the breach, Blue Chip Dental's IT providers "have fixed the issue with the portable hard drives." Higher levels of security have also been implemented to prevent future breaches of this nature from occurring. This incident highlights just how important it is for HIPAA-covered entities to only deal with vendors that are able to confirm that their systems, or the systems they install, offer the necessary protections required by HIPAA. Vendors must also sign a business associate agreement (BAA) to this effect. If a covered entity implements an IT system that they have assurances offers the required level of protection for ePHI and a compliant, signed BAA has been obtained, liability for a data breach may be avoided.