Charles River Medical Associates has
lost a hard drive containing information
and images of more than 9,300
patients

MA radiology lab loses medical records of more than 9,300 patients

January 10, 2018
by John R. Fischer, Senior Reporter
A portable hard drive containing the records of more than 9,300 patients may be at risk of breach after going missing from a Massachusetts-based radiology lab, and the facility is unable to locate it.

Charles River Medical Associates in Framingham reported this month that an unencrypted hard drive containing personal information and X-ray images of 9,387 patients from the past eight years went missing from its bone density testing workstation in late November, and could not be located following an extensive investigation.

“CRMA understands that this unfortunate event may pose an inconvenience,” the company said in a statement. “CRMA sincerely regrets that this incident occurred. CRMA is committed to providing quality care, including protecting its patients’ personal information, and wants to offer assurances that CRMA has policies and procedures in place to protect patient privacy.”

The drive, used to perform monthly backups, contained patient names, dates of birth, CRMA patient ID numbers and radiology images related to bone density testing. Addresses, phone numbers, credit card information, social security numbers, insurance information and other financial information were not on the drive.

Without it, CRMA is unable to verify if any information from it has been, or is at risk of being, compromised.

In response, the radiology lab is auditing all hardware and software systems to implement appropriate security features, and limiting the use of removable storage data by no longer using unencrypted, portable storage devices.

It is also providing staff with additional training to reinforce privacy and security expectations and advises clientele to review their statements regularly for unexpected items, accounts, and services, as well as monitor their credit reports.

“If any suspicious activity is suspected or has occurred with any of an individual’s accounts, please report such activity to CRMA and an appropriate legal authority,” the company said in a statement. “Such legal authorities may include the Massachusetts Attorney General, local law enforcement, or the Federal Trade Commission. Further, options are available for protecting an individual’s credit through each of the identified agencies, with more information available on their respective websites on how to access or implement those options.”

Breaches in health care continue to be a growing concern, posing hefty repercussions not just on patients but companies too. Insurance provider Anthem paid $115 million in July to settle a lawsuit concerning the loss of personal data for 78.8 million individuals from a cyberattack two years prior. A research survey released in December found that more than 8 in 10 providers lack reliable leadership for combating cybersecurity attacks.

Executive director Brian Parillo told HCB News that he would “prefer not to comment” on the loss.