Data Breaches at Howard University Hospital

cybercrimeHoward University Hospital has experienced two data breaches this year, one involving a stolen laptop and the other the sale of patients’ private information.  Names, addresses, Social Security numbers, Medicare numbers, and even some diagnosis-related information may have been compromised.

In late January 2012, a laptop belonging to a contractor working with the hospital was stolen from the contractor’s car.  In violation of both the hospital’s policy and federal law, the contractor had downloaded records for over 34,000 patients onto the personal laptop; while the computer itself was password-protected, the files were not encrypted.  The hospital notified patients of the possible disclosure and announced that it was implementing enhanced security measures to prevent future data breaches.

However, in May, federal prosecutors charged a surgery technician with violation of the Health Insurance Portability and Accountability Act (HIPAA).  The technician is described as an employee of the hospital in charging documents, though hospital officials said that she was actually employed by physicians located on the school’s campus instead.  She is charged with one count of wrongful disclosure of individually identifiable health information for the selling of patients’ information between August 2010 and December 2011, and could be sentenced up to ten years in prison.  The two incidents appear to be unrelated.

Healthcare providers and professionals using medical billing software and/or Electronic Health Records (EHR) systems need to follow HIPAA guidelines regarding patients’ Personal Health Information (PHI), and mobile or remote networking solutions must be secure as well.  Microwize Technology, a leading healthcare IT consultant, can assist.