A nearly expired laptop with very sensitive information has been missing. This laptop was belonged to the Mann-Grandstaff who worked as the VA in Spokane, WA. The laptop contained all the information about hematology tests as it was combined with the hematology analyzer. Previously the laptop was in use from April 2013 to the May 2016, but later on, when the device was not usable, it was decommissioned. A vender who supplied the device replaced the device, however the missing device was revealed by the equipment inventory.
Vender of the device has no record, but the device should be returned to the vender. The medical center conducted full research, but they were unable to find the device. It was unable to discover the right number of information present in the device or who were the patients about which the information was stored. For this, MGVAMC announced that all the patients who submitted their hematology test samples during the time when laptop was misplaced, the data has been exposed. The information that was saved on the device include the DOB, the name, SS numbers and much. It is estimated that the information of 3,275 patients have been exposed. These patients will be provided with the information stealing protection and credit monitoring services.
Whenever a device containing health information gets expired, the HIPAA specialists should ensure that the data should be encrypted properly otherwise, they won’t be able to restore it. The physical defense specified in the security rules of HIPAA. According to OCR, the data should be cleared, purged or destroyed before the device is expired. If the laptop or the device is provided by the vendor, then the device clearing methods should be discussed with the vendor properly and it should also be included in the policies and procedures.
After this accident, the Mann-Grandstaff created a new rule to clear all the data from the devices before expiring, decommissioning or sending back to the vendor so that ePHI breaches can be prevented in future.