In another classic case of – the business associate is at fault, but the covered entity takes the wrap – the latest breach disclosed by MidState Medical Center in Connecticut is a classic case. The breach itself is indicative of a pretty vanilla data-loss vector. While few details have been released, the hospital’s own news release indicates that data had been copied to an external drive by a worker who wanted to use the data to work at home. The drive was subsequently misplaced and is now unaccounted for along with the protected health information (PHI) of 93,000 customers.
While the liability argument will likely be continued privately for some time between MidState Medical Center and the business associate, Hartford Hospital – for now MidState is taking the brunt of the public impact.