Physical Theft of PHI
By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
How many unexpected and unforeseen circumstances can 2020 present us with? Each month we think that we’ve likely seen it all, considered it all, and readied ourselves for whatever comes our way. This year has provided us with plenty to panic over, and many things that we never thought we’d face.
Take for example the unexpected fallout from incidents in the earlier part of this year. While not isolated to one particular incident, there was likely a higher number than in previous years of group demonstrations that led to sporadic surges in physical crime.
As some of the crimes included looting, the surrounding businesses were of course affected by theft. What wasn’t initially accounted for in those thefts can be seen in the case of Walgreens, with the theft of protected health information (PHI) contained on prescription bottles and documentation. While being a chain provides the opportunity for a business to be located in multiple communities when multiple communities are affected by robberies or other crimes, your odds of being affected increase as well.
What Was Stolen?
Walgreens has reported that 72,000 of its customers have had some of their PHI exposed as a result of the thefts from 200 stores. Paper records and already filled prescriptions were stolen, but the financial information and Social Security numbers of those patients remained secure. The information did include full names, addresses, vaccination information, birthdates, and other contact information such as phone numbers and Walgreen’s reward numbers. This included the stolen prescription details and health plan information as well.
Walgreens took action to notify their customers and the appropriate government agencies, and the PHI exposure is no less than that which happens in a data breach. But it brings to light an important factor that we often overlook: You can’t plan for everything. We often think of stolen PHI in the digital sense, but this example reminds us that the physical theft of PHI is still a very real threat as well.
You can do your best in being proactive. You can have the training, a contingency plan, policies and procedures, and even cyber insurance in place to ensure that your business sustains a cybersecurity breach. But if we told you a year ago about where we’d be today, you would have said it was the stuff movies and tall tales are made of.
You just never know. So, you prepare for the worst, or at least the known worst, and hope for the best. And while hope is something you can’t put a plan around; preparation is something you can definitely put your best effort into. Make sure your plans take into account the protection of PHI in both the physical and the digital sense.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.
Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE
