Optical Care Chain Loses a Server, Again

December 5, 2014

Missing Computer Contained PHI for 48,000 Customers

By , December 2, 2014. Follow Marianne @HealthInfoSec

For the second time in recent weeks, Visionworks Inc., has revealed that one of its stores misplaced a database server, apparently due to improper disposal.

In a Nov. 21 statement, Visionworks, a unit of Pittsburgh, Pa.-based healthcare insurer Highmark Inc., revealed that a database server at a store in Jacksonville, Fla., containing “partially unencrypted protected health information” belonging to approximately 48,000 customers had been mistakenly discarded after it was replaced on June 2 during scheduled computer upgrades.

Last month, the chain announced that a store in Annapolis, Md., lost a database server containing patient information in June while it was being replaced during a store renovation (see Lost Server: What Went Wrong?). The lost Maryland computer, which contained data on 75,000 customers of that store location, is believed by Visionworks to have been discarded by mistake in a landfill.

Preventive Steps

The Highmark spokesman declined to comment on steps the company is taking to prevent the loss of more servers from its stores. “Visionworks is in the process of fully encrypting all servers. The process should be complete within the next six months,” he says.

While encrypting all data on the lost computer could have potentially prevented the breach at both store locations, “Server hard-drive encryption in an optometrist store is very rare,” notes Kerry McConnell, a senior consultant at security services firm, Tom Walsh Consulting.

Security experts say the back-to-back incidents spotlight the need for organizations to have solid inventory management and data disposal practices, and to ensure that staff are aware of those policies.

“In our experience doing HIPAA risk assessments, we often see storerooms or locked ‘cages’ of older used equipment,” says Dan Berger, CEO of security services firm Redspin. “We often point this out as a vulnerability for precisely the reason that occurred at Visionworks. Once taken out of service, it is very easy to forget what is on each server or workstation,” he says. “That sets the stage for an inadvertent discarding of a device that contains lots of confidential data.”

Berger stresses that having policies safeguarding PHI even when it’s no longer needed is mandated under HIPAA.

“We cite the HIPAA Security Rule, which requires that covered entities and business associates implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored,” he says.

Read full article…

Posted in Asset Mngmt Compliance Requirements /HIPAA /IT Asset Disposal /