URMC officials say they have notified the 537 former orthopedic patients of the misplaced USB drive, which contained patients’ names, genders, ages, dates of birth, telephone numbers, medical record numbers, orthopedic physician’s name, dates of service, diagnoses, diagnostic studies, procedures and complications, if any. No address, Social Security number or insurance information of any patient was compromised, officials say.

 

[See also: Stanford reports fourth HIPAA breach.]

 

The flash drive is believed to have been lost at URMC Outpatient Surgery Center. After an unsuccessful search, hospital officials suspect the drive was destroyed in the laundry. A search of the laundry service, however, also failed to locate the drive.

 

According to URMC's new, updated policies regarding portable devices, the resident physician was in violation of company policy. 

 

"We encourage physicians and staff to access patient records through our secure network. If it is necessary to load information onto a portable drive, we require them to use encrypted drives," said Teri D'Agostino, spokesperson for URMC, in an emailed statement. "The only flash drives stocked in our on-campus computer center are encrypted. We have communicated this requirement to all faculty and staff and we continue to reinforce that requirement. In terms of the new rules for portable devices, we require those devices to be password protected, encrypted, and have a time-out if unattended."

 

[See also: Get set: New HIPAA has teeth.]

 

D'Agostino says URMC is re-educating faculty and staff about its policy that requires the use of encrypted drives when transporting protected health information on flash drives. An annual educational series to reinforce company policies has also been planned. 

 

This is URMC's third data breach involving more than 500 patients reported to the Department of Health and Human Services. The previous two breaches, which compromised the protected health information of nearly 3,500 patients, both occurred in 2010. One also involved the loss of an encrypted portable electronic device. 

 

[See also: Massachusetts group to pay $1.5M HIPAA settlement.]