University doctor loses patient info

The physician accidentally lost a flash drive containing information about more than 1,300 patients.

A University physician lost a flash drive in late December, which contained information about 1,300 patients at the University’s fertility clinic.

Dr. Theodore Nagel lost the drive, which contained names, birthdates and diagnostic and treatment information of his patients, according to a letter dated Dec. 28, sent by Nagel to his patients.

While the loss of patient information is significant, at least one violation of University policy occurred in the incident.

University policy states patient information must be encrypted and that data shouldn’t leave medical facilities, Carl Anderson, chief operating officer at Boynton Health Service, said.

The information contained on the drive was not encrypted, spokeswoman for University Physicians Mary Koppel said.

As a member of University Physicians, Nagel was not subject to the same University policies regarding the transportation of patient information, Koppel said.

There is also no evidence that Nagel took the drive to any prohibited buildings or off campus, Koppel said.

Neither the fact that the information was not encrypted nor an explanation of the University’s policies regarding the handling of sensitive materials is included in the letter.

Despite the fact that Nagel didn’t encrypt the information, Anderson said it is more important to not allow information to be transported.

“The primary policy or first line of defense should be that the data can’t leave,” he said. “I don’t think there’s too many conditions where organizations allow data to be transported anymore. I think it’s becoming more the exception than the rule.”

While there was medical information on the drive, data such as Social Security numbers, addresses or financial information were not included, according to the letter.

Officials are currently searching for the drive, according to the letter, but it may be permanently lost.

The Academic Health Center provides its physicians with rigorous training regarding the handling of patient information, but leaks can still occur, AHC spokeswoman Molly Portz said.

“We need to take into consideration when you got humans involved, there will be situations where people don’t follow the policies,” she said. “In this case, regrettably, the policy was not followed.”

AHC officials are working to notify all of Nagel’s patients, Koppel said. It established a hotline for patients to find out what information about them was contained on the drive, according to the letter.

The patients affected by the loss of the drive could file a complaint under the Health Information Portability and Accountability Act, established in 1996, said Sharon Sandeen, an associate professor at Hamline Law School who teaches information privacy law.

“Based on that law, covered entities have to take reasonable steps to protect patient information,” Sandeen said.

From there, it’s the Department of Health and Human Services’ responsibility to investigate civil and criminal liability, Sandeen said.

At the state level, there has to be harm caused, Sandeen said, and generally, any potential case depends on who finds the information and what they do with it.

Anna Ewart contributed to this report.