Our sister blog, Health Law & Policy Matters, includes a detailed discussion (warning?) relating to the commencement of HIPAA audits by the Office of Civil Rights. That post can be found here, and it and the embedded links should be required reading for anyone involved with protected health information.
Yesterday, we learned of a major medical data theft involving more than 4 million records from Sutter Health, a large Northern California provider. The Huffington Post provides extensive details on the incident here. Again, had these records been encrypted, the thieves would have gotten away with monitors, keyboards and desktops —- but not medical records. The equipment was stolen in a classic smash-and-grab; the thieves simply threw a rock through a window. The HuffPo story points out:
Employees reported the theft to Sacramento police when they returned to work that Monday, Oct. 17, said Sgt. Andrew Pettit, but they didn’t notify the public until Wednesday, a month later. The company said in announcing the theft Wednesday that some patients might not receive mailed notices until early next month. “If that machine is that valuable, then there should be more security measures where that is protected. There’s got to be something in place to make sure that that doesn’t happen,” Pettit said.
Indeed.
