According to an article posted by the HIPAAJournal.com, an unencrypted portable hard drive containing the PHI of 660 patients has been reported as missing.

Although use of a portable hard drive in a medical practice is perfectly fine, the hard drive must be protected by an encryption product such as Bitlocker.  Greenmark IT recommends the Apricorn Aegis line of hard drives that have built-in encryption algorithims and a built-in keypad for unlocking the drive.

This type of drive automatically encrypts everything written to it.  In fact, you can’t even use the drive without unlocking it with a code.  The drives are so secure that their internal components are completely encased in epoxy.  Any attempt to remove the encasing will completely destroy the drive, making the contents unaccessible.

A point of concern about the theft was the amount of time EMMC took to report the theft.  In fact, the HIPAA Breach Notification rule allows up to 60 days to report a significant breach (over 500 patients affected).  The rule also allows for more time if a federal agency is involved that wishes to have the breach kept quiet in order to more effectively perform their investigation.  Since EMMC reported the breach within 30 days, they are operating well within the specified time frame.

It should be noted, however, that I personally witnessed outrage in the comments attached to this story when it ran in local newspapers.  Patients, whether affected or not, lost a huge amount of confidence in EMMC when this occurred.

EMMC is a huge organization with very little competition, so I personally doubt that this will impact their patient count very much.  However, what if this happened to a small practice with 1000 patients?  How many patients would they lose?

If your practice needs assistance implementing HIPAA, don’t hesitate to give us a call today.

Posted below is the original article.


Eastern Maine Medical Center is notifying 660 patients that some of their protected health information has been exposed. The sensitive information was stored on a portable hard drive that has gone missing from its State Street facility, in Bangor, ME.

The device lacked encryption and data on the device could be accessed without the need for a password. Theft has not been confirmed, but the device could not be located during a search of its facility. The drive was last seen in its usual place on December 19, 2017 and was noticed to be missing on December 22.

The device belonged to a business associate of Eastern Maine Medical Center and contained limited patient information. No Social Security numbers, financial information, or health insurance details were present on the device, only full names, birth dates, dates of service, medical record numbers, one-word condition descriptors, and procedural images.

The patients impacted by the breach had visited the medical center for cardiac ablation procedures between January 3, 2011 and December 11, 2017. Not all patients who visited the medical center for those procedures were affected. Some patients had their data stored elsewhere.

The potential theft has been reported to law enforcement and investigations into the circumstances surrounding the loss/theft of the hard drive are continuing. A comprehensive search of the facility was conducted although the device has now been officially declared lost and patients are now being notified of the breach by mail.

The delay in issuing breach notification letters was due to the time taken to search the facility and discover which patients’ PHI was stored on the device.

Even though the types of information required to commit identity theft were not exposed, all patients impacted by the incident have been offered complimentary identity theft monitoring and protection services for 12 months out of “an abundance of caution”.

Donna Russell-Cook, Eastern Maine Medical Center president, said “We take our commitment to uphold our patients’ privacy very seriously and are reviewing our processes to strengthen data security.”