Learning from Chesapeake Regional Healthcare's Hard Drive Data Breach

When healthcare organizations suffer a data breach, they tend to examine and update their information security protocols, but they don’t typically share what they’ve learned with others. Chesapeake Regional Healthcare, however, is an exception.

About a week ago, the Virginia-based health system revealed that the protected health information of 2100 patients had been compromised after 2 portable hard drives went missing. The unencrypted devices held information like patient names, dates of birth, medical record numbers, demographics, prescription drugs, and procedures performed, Healthcare Analytics News™ reported.

Chesapeake learned of the data breach in February. Its leaders have since had time to analyze and improve the institution’s data security practices, and they opted to share that knowledge with this magazine.

>> COVER STORY: Hunting for the Heart of a Changing Community

“We’ve learned that we need to continually strive to effectively manage risks associated with the use of information technology and encourage other organizations to encrypt all portable hard drives in use and lock them in a secure location during non-use,” said Tricia Hardy, Chesapeake Regional Healthcare’s spokesperson, via email.

And that is exactly what the health system has done. Encryption offers reasonable hope that anyone who manages to get their hands on such a hard drive won’t be able to access the sensitive protected health information within. Secure storage, meanwhile, ensures that the devices will be accounted for and, theoretically, better protected than when left in a busy practice.

Chesapeake didn’t provide any updates on the case, which is in the hands of a local police department. When asked if they thought the data breach had been caused by employee theft, Hardy noted that the “investigation is ongoing, and we are unable to comment with certainty.”

Still, the incident is a reminder that data breaches aren’t always caused by cybersecurity issues. Sometimes it’s the work of a person physically removing, misplacing, or erroneously exposing a physical object—whether that be a hard drive or even a sensitive patient-oriented letter.

The data breach, as most of them are, is also a wake-up call to regularly check and test healthcare security protocols.

“This incident has provided an opportunity for us to look more closely at our processes and improve the way we identify, assess, and address information technology risks throughout the organization,” Hardy said.

Chesapeake is offering identity theft protection services and credit monitoring to the affected patients.

Get the best insights in healthcare analytics directly to your inbox.

Related

After 280K Patients Exposed in Data Breach, Oklahoma Hospital Shares What It Learned

Vulnerabilities Are Surging, and Healthcare Cybersecurity Might Struggle to Keep Up

Protected Health Information of 2100 Patients Exposed After 2 Hard Drives Stolen