Georgia hospital reveals loss of 315,000 medical records

Emory University Hospital, one of Georgia's largest healthcare providers, recently announced that as many as 315,000 surgical patient records may have been compromised as a result of an incident discovered in February. The missing information has put several former patients on high alert and called into question the efficacy of the provider's data protection strategies.

Lapse of records management protocol

According to a bulletin posted on the university website, the missing data set contains the medical records of patients who underwent surgery within the Emory Healthcare system between 1990 and 2007. This information was stored on a collection of 10 backup discs stored onsite. While officials were quick to dismiss the possibility that the incident was the result of a targeted hacking plot, the reality could be even more concerning.

According to the Atlanta Journal-Constitution, administrators have confirmed that the discs were not handled in accordance with traditional data backup and recovery best practices. While the data was stored in an office that was locked at night and routinely patrolled to restrict access, the actual cabinet holding the discs was never locked.

"We sincerely regret this incident and want to assure our patients that we are committed to safeguarding their personal information," Emory Healthcare president and CEO John Fox stated. "While we have no evidence at this time that any personal information has been misused as a result of this incident, we want to take all precautions to ensure our patients' information is safe. We are moving forward expeditiously with providing all affected patients, at our cost, access to identity protection services, including credit monitoring."

This resolution is as much appreciated as it is essential, considering the nature of the records that have been potentially compromised. Approximately 228,000 of the medical records that were exposed plainly displayed Social Security numbers, according to university officials. Patient names, operation dates, diagnoses and surgeon names were included in the missing data set as well.

Isolated incident, but a growing trend

Emory Healthcare has maintained a strong reputation for data protection over the years, and should be commended for its transparency and assistance afforded to concerned patients following this regrettable incident. While the circumstances may be unique for the Georgia healthcare provider, it is a story that has become all too familiar in the industry of late.

April has been a particularly difficult month for health IT departments, according to Government Computer News columnist Kathleen Hickey. Just days before the Emory breach went public, Utah's Department of Health was making headlines for a similar incident that could end up affecting nearly 800,000 citizens. Although the Utah case involved faulty password protection and system configurations as opposed to matters of lock and key, each illustrates the variety of ways data protection efforts can be compromised in the blink of an eye.

Hickey went on to cite a research study published earlier in the month suggesting that employee errors - such as careless access governance - were the leading cause of healthcare data breaches. The same report confirmed that one out of every four healthcare providers have now suffered a breach within the past 12 months.

Improving records management through collaboration

It is hard to imagine an arena in which more stakeholders come together than the healthcare industry. With operating budgets, regulatory standards and patient privacy always on the mind, health IT teams cannot be afraid to ask for a helping hand. By working with hospital administrators and industry regulators to establish clear expectations and seeking consultancy to shore up any areas of weakness, healthcare facilities have a far better chance of maintaining patient confidentiality and avoiding the worst.