The 161 patients of Dr. Mark G. Midei who are party to a malpractice suit against the cardiologist may have had their personal information compromised as a result of the security practices of a Baltimore law firm, reports Tricia Bishop.
According to the story, an employee of Baxter, Baker, Sidle, Conn & Jones, which represents Midei, lost a hard drive with back-up information, which was "taken home nightly as a security precaution in case of fire or flood, a firm spokesman said, though the portable information was not encrypted — among the most stringent security precautions that is standard practice for health professionals dealing with medical records."
Hindsight is 20-20, of course, but this example shows how an attempt to maintain security (in case of natural disaster) actually left the firm vulnerable not only to theft but also to human error of a very non-technical variety. Accorrding to the story, the law firm is now "encrypting its data and is looking into off-site data storage."
The story points out that this situation may reveal a loophole in the Health Insurance Portability and Accountability Act, or HIPAA, because it doesn't specifically mention that malpractice attorneys need to safeguard data.
Data on the hard drive included patients' names, addresses and social security numbers, as well as their dates of birth and insurance information.
In Maryland, "any business that keeps electronic records containing the personal identifying information of Maryland residents to notify those residents if their information is compromised," according the identity theft unit of the state attorney general's office.