John Muir Health, a three-hospital delivery system, on April 5 began notifying 5,450 patients that their personal health information was on two laptops stolen from a perinatal care office in Walnut Creek, Calif., according to numerous reports from local media.

The theft occurred in early February. In addition to notifying patients, the delivery system also has notified the Department of Health and Human Services' Office for Civil Rights, as required under the breach notification rule.

Data on the laptops was not encrypted, but was password protected and "in a format that would not be readily accessible," according to a statement from John Muir Health. The organization now is locking down and encrypting laptops across its enterprise.

To date, there is no evidence protected health information has been accessed or used inappropriately, according to the organization. John Muir Health is offering affected patients free identity theft protection services from Equifax for one year. Officials at John Muir Health did not immediately respond to telephone and e-mail requests for an interview.

The Office for Civil Rights in February published on its Web site an initial list of 47 larges breaches of protected health information since the breach notification rule became effective in September. That list showed two clear patterns the industry must consider, says Susan McAndrew, deputy director for health information privacy in OCR, which enforces health privacy laws. She spoke to Health Data Management for a May cover story on the breach law.

"The overwhelming majority are theft-related," McAndrew notes. "It's a little early to tell if this is reflective of the industry in particular or a commentary on the level of crime in America." Either way, though, "what all the incidents are showing is that entities must really take a closer look at encryption and reassess whether or not encryption should be a routine part of their security requirements," she adds.

Encryption of protected health information is not required under the HIPAA security rule or the breach rule, which now is part of the HIPAA administrative simplification suite of rules. However, use of the technology must be considered in an organization's security risk assessment with the reasons for not encrypting documented.

Another pattern emerges from the initial list of data breaches:  "It's all predictable--involving portable media and laptops," says Paul Smith, a health law attorney and partner in the San Francisco firm Davis Wright Tremaine LLP.

Smith points to guidance published by HHS several years ago on best practices for securing portal electronic media, such as tapes, disks, flash drives and other means. "I would get that guidance and look for gaps in your risk assessment," he advises. The HHS guidance, published Dec. 28, 2006, is available at

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access