The University of Virginia Medical Center has lost an on-call pharmacist’s unencrypted handheld device containing sensitive medical records for more than 1,500 people, officials said Friday.
The medical center learned Oct. 5 that the device, used by its Continuum Home Infusion Service, was missing, officials said.
An on-call pharmacist used the device, and it likely contained information from potential patients referred to the service between August 2007 and September of this year, as well as patients treated in September.
The information might include “patients’ names, addresses, diagnoses, medications and health insurance identification numbers,” according to a news release. Some of those numbers are also patients’ Social Security numbers, according to the release. No credit card or back account information appears to have been affected, according to officials. The Social Security numbers are included because Medicare uses them as part of patients’ insurance numbers, said Robert “Bo” Cofield, associate vice president for hospital and clinics operations.
The breach could affect the records of 1,846 patients and potential patients, said medical center spokesman Eric Swensen.
The infusion service helps provide intravenous medication to patients being treated at home, such as those taking intravenous antibiotics for a case of pneumonia not severe enough to require admission to a hospital. In some cases, patients can be discharged from the hospital sooner because the service is available, officials said.
“We don’t have any evidence whatsoever that this information has been used or accessed,” Cofield said.
Handheld devices commonly are used in the industry, particularly by on-call workers, but the information should be encrypted, Cofield said.
“The error was that it was unencrypted,” he said.
A thorough search failed to turn up the device, which was last seen at the transfusion service’s office, Cofield said.
All handheld devices the service uses now are encrypted, and the medical center has re-educated its staff on the importance of such measures, Cofield said. Officials don’t think the device was stolen, he said, but they filed a police report just in case.
“We take the confidentiality of our patients very seriously,” Cofield said. “We regret that this has occurred. As I said, it doesn’t excuse it, but it’s a small portion of an organization that sees over half a million patients a year.”
Much of the time gap between the early October discovery that the device was missing and Friday’s announcement on the final day of November can be attributed to UVa officials waiting on forensic work to identify exactly what information was on the device and complying with various state and federal regulations tied to notification requirements, Cofield said. Letters to patients started going out Friday.
“It’s variable [depending on factors including what state the patient is from] and we wanted to be sure we got it right,” Cofield said.
Cofield called it “the right thing to do,” but also noted the medical center was required to notify the media and patients.
McAfee identity theft expert Robert Siciliano said the first concern in breaches such as the one at UVa is medical identity theft, in which criminals use victims’ medical information to get health care for themselves.
If that happens, a thief’s information could wind up on a theft victim’s medical record, Siciliano said.
The other potential danger, particularly for those whose Social Security numbers are included in the information, would be new account fraud, in which thieves use the information to get credit cards, bank accounts, mortgages, mobile phones, utilities and other financial arrangements in the victims’ names.
Siciliano said victims might be offered some form of identity theft protection, likely credit monitoring. In addition, victims should check their medical records through the Medical Information Bureau semi-annually for the next few years, Siciliano said.
A thief easily could figure out how to extract the information from the device, Siciliano said.
“It’s guaranteed that once this hits the paper, they’re going to know what they have in their hand,” Siciliano said.
In early June, 300 to 350 transcripts, some containing Social Security numbers, were accessible through a UVa website as a result of human error. The transcripts belonged to students who’d applied to an institute at UVa. Some of their home institutions included the numbers on the transcripts. The problem was discovered by a person Googling himself.
For more information: Visit http://uvahealth.com/patients-visitors-guide/privacy-notice-for-continuum-home-infusion-patients.