Are you including desktop computers in your security risk assessment?
No healthcare provider is immune from theft. And although you hear a lot lately about laptop thefts leading to HIPAA breaches, desktop computers are at risk as well. Are you taking the right precautions to protect all your computers?
Background: The theft of an unencrypted desktop computer during a break-in at a Temple University Physicians medical office in Philadelphia, PA resulted in the breach of 3,780 patients’ protected health information (PHI). The theft occurred sometime between July 18 and July 21, 2014, according to Temple’s breach notification to the HHS Office for Civil Rights (OCR).
The desktop computer was in the surgery department and contained files with PHI including names, ages, billing codes and referring physicians’ names, reports the Philadelphia Inquirer. Temple claimed that the files did not contain financial information nor Social Security numbers.
Take the Right Steps in Breach Response
Correctly, Temple immediately reported the theft to local police, HHS, and the affected patients. So far, Temple is providing free identity theft-monitoring services to all affected patients for the next 12 months.
Temple also plans to beef up its employee training, improve physical security, and boost technical security measures on desktop computers, according to the healthcare system. Unfortunately, the desktop was not encrypted.
What You Can Learn from This Breach
“Time and again data breaches are caused by the loss or theft of a laptop computer, but it is less common that a desktop is stolen that compromises health information,” said partner attorney Linn Foster Freedman in a Sept. 19 blog posting for the law firm Nixon Peabody LLP.
Lesson learned: You should include desktop computers in your security risk assessments, “as the risk of theft of desktop computers is real, which is apparent from this incident,” Freedman warned. “It is a reminder that all computers are a security risk for an organization and proper security measures for all media — removable or otherwise — is essential.”