News Feature | January 15, 2016

Data Breach At Arnett Healthcare Affects 30K Patients

By Megan Williams, contributing writer

Healthcare Data Breach

In a change of pace from the larger incidents of 2015, a missing storage device is the root of one of the most recent healthcare data breaches.

On the last day of 2015, IU Health Arnett hospital released a notice to its patients regarding a lost storage device that possibly contained patient names, ages, dates of birth, home phone numbers, medical record numbers, service dates, diagnosis information, and treating physicians.

The University Response

The loss was discovered on November 20, 2015. The hospital announced in their letter, “We immediately began an investigation and determined that the device contained spreadsheets with limited patient information from emergency department visits that occurred between November 1, 2014 and November 20, 2015… The spreadsheets did not contain any Social Security numbers, financial information, or medical records and patient care will not be affected.  We are continuing to search for the device but are informing you in the event we are unable to locate it.”

IU Health Arnett has stated that it will be searching for the lost device, and in response has abided by Health Insurance Portability and Accountability Act (HIPAA) regulations and sent the notification to all individuals who were potentially affected. It has also stated that it will be reassessing its security procedures to help prevent similar incidents from happening again.

IU Health Arnett’s Breach History

According to Health IT Security, IU Health Arnett has been in this position before. The facility was compelled to notify more than 10,000 patients in May of 2013 when an unencrypted laptop was stolen, leaving some of their health information exposed. In that situation, IU Health Arnett also pledged to reassess its privacy procedures. It also did not believe that any of the information had been misused, just as is the case in its most recent breach. The letter continued, “IU Health Arnett has no reason to believe the information on this device has been improperly accessed or used ...We apologize for any inconvenience this may cause our patients. IU Health Arnett takes very seriously its obligation to maintain patient information secure, and we appreciate the trust our patients place in us. We are taking steps to enhance the protection of portable storage devices and are reviewing policies and procedures to minimize the chance of such an incident occurring in the future.”