Two Data Breaches in Kentucky
Two Kentucky hospitals in recent days have disclosed breaches of protected health information.
Our Lady of Peace, a psychiatric hospital in Louisville, is notifying 24,600 individuals after a flash drive was came up missing on April 1.
The new breach notification rule under the HITECH Act requires disclosures within 60 days for breach known to affect 500 or more individuals. Smaller breaches must be reported on an annual basis.
The flash drive contained unencrypted data on patients admitted since 2002 and patients assessed, but never admitted, since 2009. Data on admitted patients included name, room number, insurer name, and admission and discharge dates. It did not include diagnoses or treatments, Social Security number, date of birth, telephone numbers or address.
Our Lady of Peace now is reeducating employees on ways to protect patient information, implementing encryption technology and disciplining an undisclosed number of employees, according to a media statement. A spokesperson declined further comment.