This blog series has been following the ever-growing parade of large security breaches of Protected Health Information (“PHI”). Within the last week, The Boston Globe reported that venerable Boston Children’s Hospital (the “Hospital”), the primary pediatric teaching hospital of Harvard Medical School, has notified the public media and affected individuals of a large PHI security breach (the “Breach”). The Globe article by Chelsea Conaboy reported that the Breach occurred when an employee of the Hospital, while at a conference in Buenos Aires, Argentina, “lost a laptop containing a file with information about 2,159 patients, including names, birth dates, diagnoses, and treatment information.” The laptop, which was reported by the Hospital as having been password protected but not encrypted, did not include financial data or Social Security numbers.
The Breach is one of the first reported instances of the loss or theft outside of the United States of a laptop that contained unsecured PHI. Nonetheless, it is uncertain as to whether the PHI stored on the computer has been or will be inappropriately accessed and used.
The Breach has not yet been reported on the U.S. Department of Health and Human Services list (the “HHS List”) of reported breaches of unsecured PHI affecting 500 or more individuals. Nor does a visit to the Hospital’s Web site and its on-line “Newsroom” and Press Releases for 2012 reveal any reference to the Breach.
The Hospital does have a Code of Conduct on its Web site that contains a short reference to “Patient Privacy and Confidentiality.” However, an endeavor to open the links under that heading to referenced “Patient Health Information Policies” and “Information Security Policies” only results in “Oops! There was an error finding that page” and instructions to try again. Moreover, the Code of Conduct has a bottom line on each page that recites a publication date of 12/06, well before the enactment of the federal HITECH Act.
A number of conclusions can be drawn from the information currently available regarding this unfortunate Breach. If the Hospital takes “this incident and the protection of protected health and personal information extremely seriously,” as the Hospital’s chief information officer was quoted in the Globe article, the Hospital should, at a minimum, as many other covered entities that have suffered PHI security breaches have done, prominently place its press release respecting the Breach on its Web site.
The Hospital should also appropriately update its Code of Conduct respecting patient privacy and confidentiality and rectify the “dead” links that would provide meaningful information on such subjects to those who seek it.
Finally, the Hospital and other covered entities should consider adopting clear policies governing the protection and transporting outside of the United States of laptops and other electronic devices that contain PHI.