A Baltimore law firm lost a portable hard drive containing information about its cases, including medical records for 161 stent patients suing cardiologist Dr. Mark G. Midei, a firm client, for alleged malpractice at St. Joseph Medical Center in Towson.
The drive was lost Aug. 4 by an employee of Baxter, Baker, Sidle, Conn & Jones who was traveling on the Baltimore light rail, according to a letter obtained by The Baltimore Sun that was sent to one of the stent patients last week — two months after the drive went missing.
The storage device held a complete back-up copy of the firm's data, including medical records related to the stent malpractice claims, along with patient names, addresses, dates of birth, social security numbers and insurance information.
It was taken home nightly as a security precaution in case of fire or flood, a firm spokesman said, though the portable information was not encrypted — among the most stringent security precautions that is standard practice for health professionals dealing with medical records.
But it's unclear if the law firm would be covered by the medical record privacy law, the Health Insurance Portability and Accountability Act, commonly known as HIPAA. The incident may have exposed a loophole, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington and an adjunct professor at Georgetown University Law Center.
HIPAA regulates the protection of patient information by "covered entities" — providers of health care or health plans and data management companies. But malpractice attorneys aren't expressly mentioned.
"Under HIPAA, covered entities have an affirmative obligation to encrypt" data, Rotenberg said, adding that it "may be the case that a law firm is not a covered entity." He called the lost drive a "serious issue, particularly considering the sensitivity of medical information" and said that situation could pose a "problem for the firm, because people might say they were being negligent."
The woman who lost the hard drive — a metal box that is about 8 inches long by 6 inches wide — returned for it within 10 minutes, but it was already gone, according to a Baxter representative.
"We have no reason to believe that the information on the portable hard drive has been accessed or used improperly. The software was password-protected. Furthermore, it would take specialized technical expertise, software and hardware to access the records stored on it," the letter sent to patients said.
It was signed by Anders Backlund, a senior vice president at the Omaha-based Preferred Professional Insurance Co. — PPIC — which provides liability coverage to St. Joseph physicians and hired the Baxter firm to represent Midei.
PPIC has offered patients whose records were lost a one-year membership to an anti-identity theft service "as a precautionary measure" on "behalf of St. Joseph Medical Center." The service "helps detect possible misuse" of personal information, Backlund's letter said.
The insurance company did not respond to questions from The Sun. St. Joseph confirmed the security breach in an emailed statement, saying it had been "recently informed" of the incident.
Reached on vacation, attorney Robert Weltchek, whose law firm represents several stent patients suing Midei, said the security breach seemed to be an "innocent mistake."
"It could happen to anybody," Weltchek said, noting that one of his clients received a letter warning of the lost hard drive. He added that "it's unfortunate that it happened to a group of people who've already been victimized."
Midei is being sued by dozens of former patients who allege he falsified their records to justify unnecessary and expensive cardiac stent procedures at St. Joseph over several years. His practice privileges at St. Joseph were removed in mid-2009. And his medical license was revoked in July by the Maryland Board of Physicians, which found that Midei violated the state's Medical Practice Act through unprofessional conduct, false reports and gross overuse of health care services among other charges.
The Baxter firm said it notified St. Joseph and PPIC of the hard drive loss within days via telephone and sent a formal letter confirming the incident to the hospital on Sept. 16 and the insurance company on Sept. 22. The affected patients were notified Oct. 4, in accordance with HIPAA requirements for covered entities, the firm said.
Such entities who improperly release health information "must notify affected individuals … without unreasonable delay and in no case later than 60 days following the discovery of a breach," under HIPAA, according to a U.S. Department of Health and Human Services website explaining the law.
A Baxter spokesman said the company also contacted individuals who were affected by the security breach but not involved in malpractice cases, though he declined to identify them to The Sun, citing "attorney-client" privilege.
The company said it also has begun encrypting its data and is looking into off-site data storage.
"We deeply regret any inconvenience this may cause you," the letter to patients said. "We have taken this seriously."