Beware of breaches in legacy and depricated systems.

Officials at Nemours Children’s Health System have reported the loss of personal information of thousands of Florida patients.

The breach involves a three backup tapes from an old computer system. These tapes were not password protected or encrypted. The tapes were stored in a filing cabinet at a facility in Delaware. The breach involves information for up to 1.6 million patients and Nemours has offered the families of impacted patients one year of free credit monitoring if they are concerned about this missing information.

This breach underscores the need for each and every medical practice and hospital to have a full inventory of all patient data, this inventory should clearly indicate the location of the device that holds the data, the status of the data, and the person responsible for security of this data. Furthermore any and all backup data from legacy and unused systems should be dealt with appropriately. Depending upon local and state laws information that is over a specific age may be eligible for destruction. A good HIPAA security plan has provisions for managing and tracking all devices, tapes, disks and media that contain PII (Personally Identifiable Information). Taking the steps today to identify all places where PII is stored, and then either destroying data that is eligible for destruction, or properly securing this media and data will go a long way to prevent a breach of this nature for your organization.

Additional questions need to be raised as to why was this data in a filing cabinet in Delaware? Was this data under the care of a Business Associate? Was there an up to date Business Associate Agreement in place? The information currently available to CMEonline is insufficient to determine how many HIPAA security related gaps have been identified by this breach. But what is clear is that Nemours will need to complete a complete Security Incident Response Report to identify all of the gaps that led to this breach. They will then need to take appropriate steps to insure a breach of this nature does not happen again.

Now is a good time for you to look at your current HIPAA security plan and determine if you are at risk for a breach of this type, Include your actions in your Risk Analysis, and then update your HIPAA manual to address any potential risks that may pertain to your organization.