660 patients of Eastern Maine Medical Center were notified of a potential exposure of their protected health information. The portable hard drive that contained the sensitive information disappeared from its State Street facility in Bangor, ME. The device was not encrypted so the data can be accessed by anyone without a password. It is not yet certain that the device was indeed stolen, but it cannot be located anywhere in the facility. It was last seen on December 19, 2017 then it can’t be found since December 22.
A business associate of Eastern Maine Medical Center owns the device and it contained limited patient information only. It didn’t contain Social Security numbers, health insurance information or financial information. It has information on patients’ full names, dates of birth, dates of service, medical record numbers, procedural images and one-word condition descriptors.
The last time the patients who were impacted by the breach visited the medical center was between January 3, 2011 and December 11, 2017 for cardiac ablation procedures. Not everyone’s data were affected because some data were stored elsewhere.
Eastern Maine Medical Center reported the potential theft to law enforcement who investigated the matter. A comprehensive search of the facility did not help find the device. Hence, the investigators officially declared the device as lost. Patients have been sent breach notification letters. The notification was delayed because of the time it took to search for the device and to identify which patients’ PHI were compromised.
The information exposed were not the types used by hackers to commit identity theft. Nevertheless, the medical center offered the patients impacted by the breach free identify theft monitoring and protection services for 12 months. Eastern Maine Medical Center President Donna Russell-Cook also stated “we uphold our patients’ privacy very seriously and are reviewing our processes to strengthen data security.