Kentucky psychiatric hospital loses sensitive flash drive

A flash drive containing personal patient information recently went missing from Our Lady of Peace, a 278-bed psychiatric hospital in Louisville, Ky.

How many victims? 24,600.

What type of personal information? The flash drive may have included patient names, room numbers, date of assessment, date of birth, insurance company names, along with admission and discharge dates. It did not include diagnoses or treatments, Social Security numbers, dates of birth, telephone numbers or addresses.

What happened? The drive went missing on either March 31 or April 1 and has not yet been found. The hospital's compliance and privacy officers were notified of the loss on April 1. Hospital staff subsequently conducted an investigation that involved reviewing security tapes, interviewing employees and analyzing the computer's usage history.

Hospital officials have not revealed how the breach happened.

Details: Hospital staff has taken “appropriate disciplinary action” following the incident but would not provide any additional details.

Quote: “We have taken this breach very seriously,” the hospital said in a statement. “Patient confidentiality is sacred to us and our patients.”

What was the response? Letters have been sent to affected individuals. In addition, hospital officials said they are taking steps internally to prevent similar breaches from occurring in the future. These steps include re-educating employees about how to handle patient and protect electronic information and using encryption devices on software and computers.

Source: courier-journal.com, The (Louisville, Ky.) Courier-Journal, “Data on 24,600 hospital patients missing,” April 29, 2010.