Posted Oct 11, 2011 12:38 pm CDT
The Baltimore law firm Baxter, Baker, Sidle, Conn & Jones wanted to keep its computer files safe from fire or flooding, so an employee toted a portable backup hard drive home each night.
But the employee lost the hard drive on the train, the Baltimore Sun reports. The data was password-protected, but it was not encrypted, the newspaper says. The hard drive included Social Security numbers and other information on 161 stent patients suing a cardiologist who was a client.
The Sun learned of the problem through a letter sent to one of the patients last week, two months after the hard drive was lost. “We have no reason to believe that the information on the portable hard drive has been accessed or used improperly,” the letter said. “The software was password-protected. Furthermore, it would take specialized technical expertise, software and hardware to access the records stored on it.”
The Health Insurance Portability and Accountability Act requires “covered entities” to encrypt patient data; law firms may not be subject to the mandate, according Marc Rotenberg, executive director of the Electronic Privacy Information Center and an adjunct professor at Georgetown University Law Center. Still, he told the Sun, the lost hard drive could be a “problem for the firm, because people might say they were being negligent.”