In January 2011 this blog series discussed here and here that the University of Rochester Medical Center (“URMC” or the “Medical Center”) became a marcher twice in 2010 in the parade of large Protected Health Information (“PHI”) security breaches.  The U.S. Department of Health and Human Services (“HHS”) publishes a list (the “HHS List”), which posts large breaches of unsecured PHI incidents affecting 500 or more individuals.  The HHS List now reveals that URMC reported a third large security breach that occurred on February 15, 2013 (the “2013 Breach”). The HHS List reveals that 537 individuals were affected by a URMC loss of an “other portable electronic device.”  There are several interesting aspects about the 2013 Breach.

First, this blog series earlier observed that URMC apparently determined that it was not necessary or appropriate to publish its PHI breaches in 2010 in the URMC Newsroom or elsewhere on the URMC website.  Our later post reported a reader’s comment that the second breach of URMC in 2010 could be located with some effort on the general University of Rochester website.  In contrast, however, the 2013 Breach was prominently published by URMC on May 3, 2013 in the URMC Newsroom and can be found in the 2013 archives.

Apparently a URMC resident physician misplaced a USB computer flash drive that carried PHI and which was used to transport information used to study and continuously improve surgical results. The information was copied from other files and, therefore, the Medical Center believes its loss will not affect follow-up care for any patients.  Additionally, the URMC posting observed that “after an exhaustive but unproductive search, hospital leaders believe that the drive likely was destroyed in the laundry.”

According to the URMC posting,

The flash drive included the patients’ names, gender, age, date of birth, weight, telephone number, medical record    number (a number internal to URMC), orthopaedic physician’s name, date of service, diagnosis, diagnostic study, procedure, and complications, if any. No address, social security number or insurance information of any patient was included.

It is refreshing that URMC has given the public notice of the 2013 Breach on its website.  Significantly, URMC also disclosed its development of new policies for the use of smart phones, iPads and other mobile devices to safeguard protected health information. In addition, URMC is retraining users of its PHI and encouraging its physicians and staff to access sensitive patient information using its secure network rather than via portable devices.

One puzzling aspect of URMC’s actions is that its notifications to affected individuals and the posting by the Medical Center did not occur until the week of April 28, 2013. This is clearly past the date required by HHS.  HHS requires that notifications be made “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”  Sixty days after the breach discovery on February 15, 2013 would have been April 16, 2013.

It is clear that the proliferation of mobile devices has geometrically expanded the potential for lost or improperly accessed PHI.  Even the most carefully planned and communicated policies cannot assure the protection of PHI from inappropriate compromise, whether intentional or accidental.  Moreover, the continual advancement of technology in this area at lightning speed often renders policies obsolete almost as soon as they are finalized and disseminated.  In the long run, it may make the question of the potential for a PHI breach for a covered entity, business associate or subcontractor more of a matter of “when” and “how” rather than “if.”