Lost Thumb Drive at Arnold Palmer Medical Center Contains Information on 586 Child Patients

Wednesday, April 2, 2014
By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

An unencrypted flash drive containing limited information of 586 children treated at Orlando Health's Arnold Palmer Medical Center between 2009 and 2013, was misplaced, according to the hospital. The lost drive is being treated as a data security breach. However, there is no evidence that any of the information on the flash drive was accessed or used by any unauthorized individual.

As a precaution, on March 24, 2014, the hospital began notifying affected families.

Click here to read the statement on this incident from Arnold Palmer Medical Center.

Hospital Speculates Thumb Drive Was Thrown Out.

According to the Orlando Sentinel, on February 12, 2014, the hospital learned that the flash drive was misplaced. The information on the device includes last names, assigned medical record numbers, dates of birth, gestational ages, birth weights, dates of hospitalization, and in some cases, transfer dates of the children who were patients at other hospitals.

To read the entire article from the Orlando Sentinel, click here.

The hospital states that upon learning of the incident, it immediately conducted an unsuccessful search in an attempt to locate the flash drive. The hospital speculates the thumb drive may have been placed in the pocket of a disposable lab coat and mistakenly discarded along with the coat.
To prevent a similar incident from happening again, the hospital is re-educating its workforce members regarding the use of portable devices and the importance of handling patient information securely.

Be Careful With Technical Equipment Containing Internal Memory.

This incident is an important reminder about equipment designed to retain electronic information. Health Insurance Portability and Accountability Act (HIPAA) covered entities are responsible for making sure all personal information is protected.

In today’s technological society everyone must be continually vigilant about the machines and equipment used. Many different types of devices now contain internal memory chips and hard drives that may store data that is difficult to erase. These may include photocopiers, scanners and fax machines, in addition to computers and servers. Security videos and communications monitoring systems may also maintain such information. Backup tapes and modern cell phones are other possible examples. These should be professionally cleaned of all data or destroyed before discarding them, selling them or trading them in for newer models.

To read a previous blog on Affinity Health Plan settling with the government in a photocopier HIPAA breach incident, click here. To read a previous blog on a dermatology practice settling with the government after a stolen USB drive resulted in HIPAA breach, click here.

Practical Tips.

The following are some practical tips to use when handling protected health information. Share them with others in your organization:

1.  Ensure that all types of electronic media by which you transfer patient health     information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2.  Try not to remove any patient information from your work site. If you need to work     on it remotely, use a secure, encrypted internet connection to access your work database. Avoid saving the work or data onto your laptop hard drive or other removable media.
3.  Never leave your laptop or other media in a car you are having worked on by a     mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4.  Never leave your laptop, thumb drive or other electronic media from work in your car.     What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations or corrective action plans (CAPs),visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.


How does your practice protect patients' health information? Could a thumb drive be misplaced at your practice? Would you know what to do if that happened? Please leave any thoughtful comments below.


Powers, Scott. "Hospital's Missing Data Drive Contains Info on Child Patients." Orlando Sentinel. (March 24, 2014). From: http://www.orlandosentinel.com/health/os-orlando-health-data-breach-20140324,0,5529196.story

Arnold Palmer Medical Center. "Notice Regarding Lost Flash Drive." Arnold Palmer Medical Center. (March 24, 2014). From: http://www.orlandohealth.com/mediabank/docs/Privacy_Notice_Website.pdf

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Tag Words: data security, defense attorney, defense lawyer, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), The Health Law Firm

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

Like this blog? Add your public comments:

Items in bold indicate required information.