Two Medicaid managed care plans in Pennsylvania have reported that an unencrypted flash drive (thumb drive) that had PHI on 280,000 members was lost in September, according to the Philadelphia Inquirer.
UNENCRYPTED – FLASH DRIVE – PHI
Three words that should never go together.
Many of the news reports we write on here revolve around the easiest HIPAA issue to handle – encrypting flash drive.
Note: when talking about flash drives, we lump a number of portable storage devices together including:
- External Hard Drives
- Thumb Drives
- Smart Phones
- Pen Drives
- CD’s & DVD’s
If you have any of the above and plan to store PHI on them, you need to have the device encrypted.
Here are a few more notes from this mishap:
- The drive was taken to and used at community health fairs
- “so the data could be available as part of testing a new hardware solution and the drive was later lost in our Philadelphia office.”
- Information on the flash drive included patient names, addresses, plan ID numbers and personal medical information
- Only 7 members had their Social Security number on the drive – this is vaguely comforting, yet the absence of the SSN does not make this any less a disaster.
Encrypting a portable device is simple, not expensive and the only legal way to store PHI on a portable device.