Theft at Healthcare Facilities Puts Patient Data at Risk

By ThinkReliability Staff

There have been many reported cases of thefts at healthcare facilities that resulted in patient data being at risk.  Loss of medical equipment or patient safety data is a big issue for the involved healthcare facility, and it’s all too common.  More than half of healthcare facilities have reported at least one health data breach since 2009.  It is   estimated that 66% of reported breaches are due to theft.  (For an example of a patient privacy breach not related to theft, read our previous blog.)

Some notable thefts: more than $1 million worth of equipment (including some that contained patient information) was stolen over a two-year period from a VA Hospital in Florida.  A health insurance provider lost nine server drives, including patient and provider information  for 1.9 million people.  The theft was not reported until two months later and followed a theft two years prior of a portable disk drive which contained personal data for 1.5 million members.  We can look at the issue of theft of equipment in a proactive root cause analysis performed as a Cause Map, which allows us to visually map causes that could results in impacts to the goals.

In this case, there is the risk of impact to the patient safety goal if patient medical records are impacted.  The loss of property can be considered an impact to employees, the organization, and the property goal.  The loss of patient data can be considered an impact to the patient services and compliance goal (as compliance with privacy regulations may be affected).  In this case, we look specifically at loss of equipment and data due to theft.

Beginning with the impacted goals, we can ask “Why” questions to add detail to the Cause Map.  Loss of property can result from theft, and insufficient inventory records can contribute.  (This was noted in the case of the VA loss.)  Theft can occur within or outside a healthcare facility.   Within a facility, property can be stolen by either employees, or non-employees.  If it is determined that property was only accessed by employees, more intense background checks may be in order.  In either case, security needs to be considered.  The levels of security depend on the type of facility, type of property and data contained in various spaces, and various other factors, and should be considered for each facility individually.

Property that is stolen outside the facility is generally stolen from an employee who works off-site or has taken data off-site, and insufficiently protects the data.  If employees are allowed to have sensitive information or expensive equipment off-site, sufficient precautions must be taken, which are also dependent on the sensitivity of data, value of property, and needs of the facility.

To view the Outline and Cause Map, please click “Download PDF” above.