Complete Wellness, a Baltimore treatment center for patients with behavioral health and substance use disorders, was recently forced to post a Warning of Potential Privacy Violation relating to the loss of an unencrypted flash drive containing information of over 600 patients. The employee who lost the flash drive had downloaded, without authorization, certain patient information including patient name, address, phone numbers, email address, birthdate, age, social security number, languages spoken, emergency contact, level of education, employer information, primary care physician, list of medications at admission, list of allergies, ethnicity, race, marital status, hurricane victim status, living situation, military service, arrest history, and hearing or vision difficulties. Complete Wellness’ post fails to delineate a reason why the employee believed there was a need to put this extremely broad and detailed level of information for over 600 patients on a flash drive.
This incident is a good reminder for providers and other entities handling protected health information (PHI). Strong policies and procedures, including disciplinary procedures, must be implemented to deter employees from making these types of mistakes. IT systems, if possible and if reasonable, should not allow the downloading of PHI onto portable media without a certain level of authorization. And, if it becomes necessary to place PHI on portable media, that portable media must be encrypted, logged/tracked, and it should only contain the absolute minimum amount of PHI necessary for the intended purpose.
Below is a link to the Complete Wellness notification: