Corvallis Clinic Data Breach (2014)

Patients at an Oregon healthcare facility were notified this week that their protected health information (PHI) was potentially exposed after the theft of an employee laptop. A Corvallis Clinic employee was attending a work-related conference in Portland in mid-November and had a personal laptop in their locked car. The laptop contained limited health information, according to a privacy disclosure posted on the Corvallis website.2014-01-27-87333166 Potentially compromised information includes patient names, dates of birth, name of treating healthcare provider, and the reason for a clinic visit. Social Security numbers or financial information are not believed to have been included. Moreover, only patients seen within the last two years are said to potentially be affected. This was a breach of Clinic policy in that patient health information was reported to have been maintained on the employees personal laptop that had not been evaluated or cleared for use by The Clinics IT security officer, the statement read. The employee reportedly notified supervisors and authorities within 24 hours of the theft taking place. While the incident took place in mid-November, Corvallis explained that it is notifying the public and media earlier than required by federal law. The clinic chose to do this because it takes the issue very seriously and is dedicated to the privacy and security of patient information. While the laptop had a highly secure alpha-numeric password, Corvallis added that the data stored on the laptop was not encrypted. However, the clinic stated that is thinks a breach of PHI is unlikely. The Clinics primary ethical responsibility is to our patients, the clinic stated. We are doing our due diligence to try to ascertain what information is contained on the spreadsheet and how many patients were listed. However, unless the laptop is recovered, the exact details of the information and the total number of patients listed may never be known. This incident is another example of the importance of HIPAA administrative safeguards. Employees at all levels need to understand how to keep patients PHI safe at all times. For example, storing sensitive information on a personal laptop is not a secure way to transport data. Another factor to keep in mind is that organizations could be found liable for their employees actions. Walgreens was told by an Indiana Court that it was responsible for HIPAA violations committed by one of its employees. The worker inappropriately accessed an individuals prescription medication information and exposed it to another person. By choosing to appeal Walgreen has now created a precedent confirming that privacy breach victims may hold employers accountable for the HIPAA violations of their employees, explained the plaintiffs lawyer, Neal Eggeson Jr.