Case Study – Unencrypted Hard Drives Leads to Massive Settlement

Encryption is an addressable requirement in HIPAA regulations. While addressable doesn’t mean optional, many entities don’t view it as necessary. Stolen unencrypted hard drives have led to many HIPAA breaches. In this week’s case study, we see where one entity thought they had taken the necessary precautions to protect patient data on hard drives, However, they didn’t opt to use encryption. This assumption led to a class action lawsuit and a massive settlement. HIPAA fines aren’t the only threat when an entity is breached. There are also the possibilities of lawsuits by patients and damage to the entity’s reputation. Read on to see how one example of exactly this.

What happened?

In April 2017, Washington State University (WSU) suffered a robbery at one of its storage units. The university had placed unencrypted hard drives in a safe and the safe was stored in the offsite storage unit. The storage unit was robbed and the entire safe was stolen. The hard drives contained the Protected Health Information of 1.2 million people including their full names, Social Security numbers, diagnosis, medical histories, and other related medical information.

WSU’s Social and Economic Sciences Research Center had been collecting the data.

At this time, the robbery remains unsolved and there have been no signs that the thieves made use of any of the data.

What was the result?

A class action lawsuit was filed against WSU for the breach. While WSU maintains that none of the data on the stolen unencrypted hard drives had been used for identity theft, many of the plaintiffs claimed that had suffered identity theft.

At the heart of the suit was the claim by the plaintiffs that WSU had not performed its due diligence to protect the data. Storing the data at an insecure location allowed the breach to occur.

The case was settled by WSU and its insurers for $4.7 million. In addition, WSU agreed to pay the costs for credit monitoring for 2 more years for each of the victims on the theft. WSU maintains that paying the settlement was the quickest way to resolve the situation.

WSU also agreed to update its policies and procedures and to improve its security. All backup data will now be stored in secure locations. In addition, WSU agreed to destroy all archived data from the project.

Keep in mind, this was not an HHS OCR investigation. This was a lawsuit filed by people whose data had been stolen. HIPAA audits and fines aren’t the only thing a practice must be concerned with when a breach of PHI occurs.

Unencrypted hard drives are almost always a bad idea

This could all have been avoided if the hard drives had simply been encrypted. In the past, encryption was harder to work with. But now, it is built into nearly all operating systems and can be used at no cost to practices. There is no excuse not to do it. In this case, the drives were stored inside a safe. WSU assumed that they were safe and their obligation to protect the data had been fulfilled. But what happens when your entire safe is stolen? Using encryption would make sure that the data was always safe.

Are you using encryption in your practice?

If your practice has performed a Risk Assessment, how did you address encryption? Did you decide it wasn’t necessary? What if your practice was robbed and your computers were all stolen?

If you are using Windows 10 Professional, then BitLocker is built in free. Some versions of Windows 7 also have BitLocker but soon, using Windows 7 will be a HIPAA violation on its own.  You can turn it on and encrypt the hard drives in your practice. BitLocker can also handle encrypting external hard drives for backups. While it may take a little pre-planning to implement, it isn’t difficult.

Locate all of the devices in your practice that contains PHI. Make sure to include any backup drives as well. Create a plan to encrypt each computer and drive using the built-in encryption in Windows 10. Execute your plan and make sure each device is properly encrypted. After that, update your practice’s policies and procedures to document that you have encrypted your devices.

Using encryption to protect PHI is not difficult and with BitLocker being built into Windows 10, practices have no excuse not to use it.