Precipitating Event: During an office relocation, 57 unencrypted computer hard drives were stolen from a network data closet.
On October 5, 2009, XYZ Health Insurance employees discovered a theft of computer equipment from a network data closet located at a location in Chattanooga, TN. The stolen items included 57 hard drives containing encoded electronic data. The data on the hard drives consisted of over 300,000 video recordings and over 1 million audio recordings.
The network data closet contained the encoded computer hard drives that were stolen. The network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.
The hard drives in the network data closet were part of a system which recorded and stored audio and video recordings of customer service calls. The hard drives that were stolen contained data which included the protected health information of health plan members, such as member names, member ID numbers, diagnosis codes, dates of birth, and social security numbers. XYZ Health Insurance's internal investigation confirmed that the PHI of 1,023,209 individuals was stored on the hard drives.
minor modifications for readibility
"a system which recorded and stored audio and video recordings of customer service calls"
Unlike patient medical records, customer service calls are not an obvious example of PHI. PHI comes in many forms.
Ask Yourself: Does your clinic record data that is not an obvious example of PHI?
"closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock"
The closet had good physical security suggesting that the thieves were insiders. But the disk drives were not encrypted. Note that encoding for audio/video is not secure like encryption. The words encoded and encryption sound similar but are different.
Ask Yourself: Has your clinic considered biometric locks for sensitive rooms?
Though the press release mentioned encrypted once ('57 unencrypted computer hard drives'), very surprised to see that the Corrective Action Plan does not mention any variation of the word encryption.
While encryption is usually assumed to be part of a risk management policy, the HIPAA Police usually mention it several times in the documents. Not sure if this was deliberate, was part of the legal negotiation, or was a rare oversight. In order to get the PHI, thieves had to listen to each phone call. The drudgery of listening to all those calls could have been a factor.
Security camera footage, which is usually stored on disk for a few days, is another type of overlooked PHI.