The Loma Linda University Medical Center in California revealed last week that it recently suffered a data breach involving medical records of more than 1,300 patients, in an incident that highlights the healthcare industry's continued struggle with data security.
According to the Press-Enterprise and others, the breach occurred when a now-fired employee took home medical records against the hospital's policy. The documents included birth dates, addresses, driver's license numbers and medical record numbers of some 1,336 patients. In some cases, the records included Social Security numbers.
In a preliminary investigation, the hospital officials were able to determine that the incident warranted the employee's firing.
"One of our employees was caught with patient records," said medical center spokeswoman Briana Pastorino, according to local news provider Redlands Daily Fact. "That employee has been terminated."
Internal data breaches are a threat for all businesses, but they can be especially damaging in the healthcare industry given the sensitive nature of much of the information that such organizations handle. In a hospital or medical clinic setting, health records can pass through any number of hands, including those of doctors, nurses, receptionists and others. This leaves the window for a record to go missing or to be stolen wide open in many instances.
According to a recent report from the Privacy Rights Clearinghouse (PRC) three of the top six data breaches of 2011 involved the healthcare industry. One breach suffered by Tricare Management Activity and its subcontractor the Science Applications International Corporation (SAIC) occurred when backup tapes containing medical records from military hospitals and clinics were stolen out of an SAIC employee's car in San Antonio.
In total, more than 5 million uniformed service members, retirees and their families were affected by the breach, which extended from an insider's mishandling of the records. Four people have even filed a lawsuit for $4.9 billion, citing Tricare and the SAIC's improper disclosure of medical data.
Both the Tricare/SAIC and the Loma Linda cases highlight the need for greater data protection measure in the healthcare industry, especially as the industry shifts toward electronic medical records.
For its part, Loma Linda University Medical Center has made several moves to protect those affected by the breach. According to the Press-Enterprise, the hospital has launched an internal investigation of the incident to determine how it happened and what adjustments need to be made to ensure future breaches do not occur.
The hospital is also offering to pay for a year's worth of credit monitoring by a professional agency for those affected by the breach. This is a standard move for many organizations hit by breaches and other data loss incidents, as it demonstrates to clients that the organization is serious about data protection.
At the same time, however, such moves are reactionary rather than proactive. In a time when much of an organization's reputation balances on how comfortable the public is with its services, it is important for healthcare providers to adopt more data-centric security strategies and measures that restrict access to information for unauthorized users.
While there is no way to guarantee medical records and other data will be safe from data breaches, there are a number of steps organizations can take to mitigate the chances of an incident occurring. For example, adhering to the the Health Insurance Portability and Accountability Act, among other standards, can ensure a medical provider's security measures are in line with the best practices as determined by industry regulators.