Purdue IT Security Expert: Don't Panic About 30,000 Compromised Health Records

Jan 8, 2016

A similar breach happened in White County in 2013.
Credit Steve Baker / https://www.flickr.com/photos/littlebiglens/19536822724

For a second time in two-and-a-half years, IU Health Arnett Hospital has had to notify thousands of patients that some of their personal information may be compromised because a computer device was either lost or stolen.

The latest incident was discovered in November, the hospital says, when an unencrypted USB flash drive went missing from the emergency department.

The hospital says it has no evidence the device has been improperly accessed.

However, spokeswoman Rhonda Jones says nearly 30,000 patients who visited the emergency room between November 2014 and November 2015 have been notified the lost data may include their names, dates of birth, home phone numbers and diagnoses. 

In May 2013, 10,000 patients had their information compromised when a laptop was stolen from an employee’s car parked in White County. Social Security numbers, financial information and medical records are not on either missing device.

Purdue University information technology security expert Eugene Spafford says companies must be more attentive to encrypting sensitive information.

“Putting that kind of information on removable storage like a USB key or a DVD without encrypting it in some way to protect if it is lost or stolen, is a problem, is a failure of policy,” he says.

Spafford says the recent data breach isn’t a panic situation, but adds IU Health Arnett needs to change its procedures to ensure data isn’t lost in the future.   

Jones says the hospital has required encryption on all laptops since the 2013 incident in Monticello.

She says the hospital is now reviewing its policies and procedures, and taking steps to improve security on portable devices such as USB drives.