In our last post, we discovered that since 2012, the average HIPAA fine for a stolen unencrypted laptop cost an astounding $881,305. In this post, we'll take a look at two instances in which stolen thumb drives (USB drives) led to costly HIPAA fines. We’ll also discuss why a stolen thumb drive can incur such heavy penalties.
A Stolen Thumb Drive in Massachusetts costs $150K
On 26 December 2013, a HIPAA entity in Massachusetts agreed to pay a $150,000 fine to settle HIPAA violations due to a stolen thumb drive. The unencrypted thumb drive contained the electronic protected health information (ePHI) of over 2,000 people. It was stolen from the car of one its employees and was never found.
$1.7M Fine for A Stolen USB Drive in Alaska
On 26 June 2012, the Alaska Department of Health and Social Services agreed to a pay a $1,700,000 fine settle HIPAA violations due to the theft of a USB hard drive (thumb drive). In this case, the stolen USB drive was also unencrypted and was stolen from a car.
HIPAA Fines and Stolen Thumb Drives
As we saw in our previous post on stolen laptops, large HIPAA fines for stolen thumb drives were again due to the drives being unencrypted. In this case, the data shows that since 2012, it costs an average of $925,000 in HIPAA fines for a single stolen thumb drive. In our opinion, thumb drives should be eliminated from the workplace of HIPAA entities.
- Encrypting a thumb drive is beyond the technical ability of most users. As we saw in the above two HIPAA fines, the root cause of the fines were due to the stolen thumb drives being unencrypted.
- There's now a lack of credible solutions for encrypting thumb drives. For power users, a popular tool has been TrueCrypt. Unfortunately, TrueCrypt announced in May 2014 that it was stopping development. On its homepage, TrueCrypt is now warning users, "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."
- Managing thumb drive inventory is a HIPAA compliance nightmare. While IT managers can identify and properly encrypt computer hard drives (desktops and laptops), allowing small, cheap, hard-to-encrypt thumb drives is a recipe for HIPAA fines.
Thumb Drives can and should be replaced by HIPAA Compliant File Sharing Services We built Paubox based on customer feedback. Part of that feedback involved developing a central, secure, HIPAA compliant service for file sharing, storage and messaging. We determined the best way to deliver that solution was not by building thumb drives or portable hard drives. It was instead by developing, from the ground up, a compliant, high encryption (256-bit) solution using cloud technology. In a nutshell, we believe HIPAA compliant cloud services like Paubox will become the standard for HIPAA compliance within and outside the workplace.