Can lost devices amount to HIPAA violations?

When a device containing protected health information (PHI) is lost or stolen, it's generally considered a security incident that requires immediate evaluation. However, whether it constitutes a reportable HIPAA breach depends on several factors.

Case study

The University of Texas MD Anderson Cancer Center v. U.S. Department of Health and Human Services (2021), case is an example of the consequences of inadequate device security in healthcare settings. In 2021, the center faced a $4.3 million penalty for HIPAA violations stemming from three separate incidents involving lost or stolen unencrypted devices. Between 2012 and 2013, an unencrypted laptop was stolen from a physician's home, and two unencrypted USB drives were lost, collectively exposing the PHI of over 33,500 patients.

According to a Notice of Proposed Determination by the Department of Health and Human Services (HHS), MD Anderson had maintained written encryption policies since 2006 and had even purchased encryption software. However, they failed to implement these measures consistently across their devices. Their own risk analyses conducted between 2006 and 2011 had explicitly identified the lack of encryption as a serious security vulnerability, yet the organization failed to take corrective action.

The court's ruling was noteworthy as it rejected MD Anderson's argument that they weren't legally obligated to encrypt devices. The Office for Civil Rights (OCR) classified these violations as "willful neglect," emphasizing that merely having security policies on paper is insufficient – organizations must actively implement and maintain their security measures. 

Encryption status

If the lost device was encrypted to HIPAA standards, the loss typically doesn't constitute a reportable breach. This is because properly encrypted PHI remains inaccessible. However, encryption must be validated and documented before making this determination.

As former OCR Director Roger Severino stated in a press release: "Laptops, cellphones, and other mobile devices are stolen every day, that's the hard reality. Covered entities can best protect their patients' data by encrypting mobile devices to thwart identity thieves." This guidance comes from lessons, as demonstrated in the 2017 Lifespan Health System case, where an unencrypted MacBook stolen from an employee's car led to the exposure of 20,431 patients' data and resulted in a million-dollar settlement.

Learn more: What devices must be encrypted for HIPAA?

Device access controls

Device security measures include:

• Password protection and complexity
• Biometric authentication
• Remote wiping capabilities
• Automatic lock settings
• Multi-factor authentication

As former Twitter and Mozilla CISO Michael Coates notes, "When you see (security breaches) in the news and think, 'What should we do?' it's not that you need to have the most advanced new technology that doesn't exist. You need to go back to basics and say, 'We know what we need to do.' It's strong passwords. It's hashing. It's good security practices."

Learn more: What is mobile device management?

PHI exposure assessment

According to the Centers for Medicare and Medicaid Services (CMS), “The unpermitted use or disclosure of PHI is a breach unless there’s a low probability the PHI has been compromised, based on a risk assessment of: The nature and extent of the PHI involved, including types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or got the disclosed PHI; Whether an individual acquired or viewed the PHI; The extent to which you reduced the PHI risk.”

Therefore, organizations must evaluate:

• What types of PHI were stored on the device
• How much PHI was potentially exposed
• Whether the PHI can be remotely deleted
• The likelihood of unauthorized access

For example, in the Lifespan case, the exposure assessment revealed that thieves had access to:

• Patient names
• Medical record numbers
• Demographic information, including partial address information
• Medication information that was prescribed or administered to patients
• Information spanning multiple affiliated provider facilities

Financial and reputational implications 

The consequences of a HIPAA violations are than just penalties. Different healthcare cybersecurity sources provide the following information:

• According to an article published in August 2024 by Healthcare Dive, “In healthcare, cybersecurity has become a growing challenge as the industry manages more sizable data breaches that could expose sensitive health information. Breaches are also increasingly linked to hacking or ransomware, a type of malware that denies users access to their data until a ransom is paid, according to the HHS’ Office for Civil Rights. The average cost for a breach in the industry this year was $9.8 million, a decline from 2023 when the price tag reached $10.9 million.” 
• The American Dental Association explains that potential financial penalties range from $100 to $50,000 per violation, with annual caps of $1.5 million for repeated violations
• According to the Healthcare Dive article titled Study: Most patients would leave their provider after a data breach, “TransUnion Healthcare found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach. Nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach. Older and younger consumer groups responded differently to data breaches. While 73% of recent patients ages 18 to 34 said they were likely to switch healthcare providers, older consumers were less willing. Nearly two-thirds (64%) of patients older than 55 were not likely to consider switching healthcare providers following a data breach.”

A systematic analysis of failures in protecting personal health data: A scoping review, published in ScienceDirect, examines factors contributing to reputational damage in healthcare organizations:

• Privacy concerns: Data breaches trigger patient anxiety about unauthorized access to their personal health information. Patients become reluctant to share sensitive medical details, fearing potential misuse or exposure of their private health data.
• Health information sharing reduction: When patients lose confidence in a healthcare organization's ability to protect their data, they become hesitant to disclose critical health information. This reduction in sharing can directly impact the quality and effectiveness of medical care.
• System use decline: Patients may reduce or completely abandon using digital health platforms following a data breach. Concerns about system vulnerabilities and potential confidentiality breaches lead to decreased engagement with electronic health records and patient portals.
• Trust erosion: Data breaches undermine patient trust in healthcare providers. Once trust is damaged, patients become skeptical about an organization's commitment to protecting their personal information, which can lead to long-term reputation damage and potential patient migration to alternative healthcare providers.
• Care quality perception: Patients' perception of care quality diminishes after a data breach. The belief that an organization cannot safeguard sensitive information translates into reduced confidence in the overall quality of medical services provided.
• Financial repercussions: Beyond immediate penalties, organizations face costs in rebuilding their reputation. This includes increased advertising expenditures, implementing new security measures, and conducting trust repair initiatives.

Emerging technologies in PHI protection 

In The Future of Patient Data Security: Exploring Emerging Technologies and Collaborative Approaches, Naga Vinodh Duggirala presents the following emerging technologies for protecting PHI:

• Blockchain: By using blockchain, healthcare organizations can create an immutable record of all transactions involving PHI, enhancing data integrity and preventing unauthorized modifications. Blockchain can also facilitate secure data sharing between healthcare providers, researchers, and patients, enabling more efficient and effective care delivery.
• Artificial intelligence: Machine learning algorithms can analyze large volumes of data to identify unusual patterns and potential security incidents, such as unauthorized access attempts or data exfiltration. AI-powered tools can also help automate security tasks, such as patch management and vulnerability assessments, freeing up IT staff to focus on more strategic initiatives.

Remote work and mobile device challenges 

A study by the National Institutes of Health (NIH) on mobile device security and the perspectives of future healthcare workers found that healthcare professionals have a complex relationship with mobile device security, characterized by “perception-action gaps”. While 76 percent recognize potential dangers to personal information and 87 percent view a security breach as a privacy invasion, only 42 percent actively implement security safeguards. 

Additionally, technological competence reveals mixed results, with 82 percent believing security safeguards are effective, but only 36 percent knowing how to obtain them. Knowledge about specific protection mechanisms differs: 61 percent understand password or biometric access control, but merely 29 percent know how to protect against malware, and 27 percent comprehend encryption's security benefits. Despite 70 percent recognizing the importance of backup and recovery systems, only 33 percent are knowledgeable about anti-theft applications.

According to The Future of Security in a Remote-Work Environment by the NIH, “Pew Research recorded a 51% increase in the number of people working from home, a total of 71% of all participants surveyed. In the same study, 54% of people said they would prefer to work from home going forward. Although this was not indicative of whether or not their companies would let them go remote or to what degree, it was indicative of the remote-work trend. Several security risks immediately are brought to the forefront as issues that companies should consider.”

The security risks mentioned by the NIH article include: 

• Creating a security-focused culture: Human error is the biggest information security threat, having a wide range of potential vulnerabilities. From employees connecting to unsecured public WiFi without protection to clicking phishing emails or using personal devices for work, these minor actions can create substantial breach risks. Engaging the entire workforce by highlighting potential risks, explaining their common characteristics, and providing comprehensive resources is crucial for building a security environment.
• Device and account security: While companies frequently issue work devices, employees often supplement or replace these with personal technology, expanding potential security vulnerabilities. Implementing security measures like VPN, multi-factor authentication, and enterprise-wide mobile device management becomes essential in mitigating risks associated with diverse device ecosystems.
• Safely using the cloud: Cloud technologies have are as a solution for secure remote collaboration, offering protection mechanisms that surpass traditional on-site data storage. Particularly beneficial for small and mid-sized businesses, cloud platforms provide end-to-end encryption, advanced privacy controls, and consistent system maintenance. For example, Paubox offers HIPAA compliant email encryption and cloud security solutions, making sure that sensitive data remains protected while enabling secure communication.

Learn more: HIPAA and mobile devices

FAQs

Does every lost device containing PHI automatically constitute a HIPAA violation? 

No, not every lost device automatically constitutes a HIPAA violation. If the device was properly encrypted to HIPAA standards, the loss typically isn't considered a reportable breach since the PHI remains inaccessible. 

What immediate steps should an organization take when a device containing PHI is lost or stolen?

Organizations should immediately report the incident to their Privacy Officer, document all known details, attempt to remotely wipe the device if possible, conduct a risk assessment, and determine if breach notification is required. 

What is remote wiping?

Remote wiping is a security feature that allows an organization to erase data from a lost or stolen device to prevent unauthorized access.

How does cloud security compare to traditional on-site storage?

Cloud security often provides stronger encryption, automated updates, and scalable protections that surpass traditional on-site storage solutions.

Does cloud security eliminate the risk of data breaches?

While cloud security significantly reduces risks, no system is completely breach-proof, so continuous monitoring and strong access controls are essential.