Learn from Other People's Mistakes
West Virginia Executive Branch
Learn From Other People’s Mistakes
I heard about a clinic that “lost” lots of medical information when an employee’s work-assigned laptop was stolen. Sounds like it was a pretty big deal and lots of people were affected. I work with medical records too – got any suggestions to help me avoid “losing” patient information?
Did you know that the Federal Department of Health and Human Services has a website that lists all of the security breaches that expose the protected health information (PHI) of more than 500 people? Protected health information is information that hospitals, doctors, other medical providers and health plans (HIPAA covered entities) maintain about individuals’ health care - it includes your medical records. The website can be found at
It is useful to look at the reported breaches to see what types of events the HIPAA covered entities are reporting. Of the 89 breaches reported on the website on May 27, 2010, 58 breaches were the result of computer theft (including laptops, desktops and servers), devices, media, and paper records. Other types of breaches included unauthorized access due to “hacking,” misdirected mail and e-mail, and lost computer equipment and media.
These breach reports can help us identify areas where we need to focus our security efforts. Given the common occurrence of theft, we should be especially careful with physical security measures, such as:
- Using locking cables or secure storage to protect laptops and computers when not attended
- Keeping careful track of paper records and electronic media, so that they cannot be taken by an unauthorized person, even inadvertently
- Ensuring that doors and file cabinets are always secured
- Politely refusing to allow anyone you don’t know to “tailgate” through a door that requires a badge to open
- Escorting visitors properly
- Alerting security if you see anyone or anything suspicious
If you have a privacy or security question, please contact your Privacy Officer or send an e-mail to: EnterpriseSecurity@wv.gov.
Note: Your agency/bureau/department/division may have specific requirements – always check your policies and procedures. If you have questions, contact your Privacy Officer.