How far does the Health Insurance Portability and Accountability Act (HIPAA) extend? That is the question facing a large medical malpractice defense law firm now that one of its employees has lost a hard drive containing detailed information for 161 patients involved in a lawsuit against Mark Midei, MD, a cardiologist accused of performing hundreds of unnecessary stent procedures at St. Joseph Medical Center in Towson, MD.

The medical center took away Midei’s privileges in 2009, and earlier this year the physician’s medical license was revoked by the Maryland Board of Physicians after it found that Midei violated the state’s Medical Practice Act.

The law firm Baxter, Baker, Sidle, Conn & Jones, which represents Midei, obtained medical records related to the stent claims, including personal information such as patient names, addresses, dates of birth, insurance information and social security numbers during its discovery process. The information was stored on an portable hard drive and password protected.

As part of its security precautions, a law firm employee would take the hard drive home nightly in order to protect it from fires, floods or other disasters. Unfortunately, this employee accidently left the device on the Baltimore Light Rail, and although she returned for it within a few minutes it was already gone.

The law firm has since issued letters of apology to those whose records were lost and has offered these patients a one-year membership to an anti-identity theft service as a precaution.

HIPAA, which mandates the protection of patient information, requires that “covered entities” – insurance companies, health care providers and data management companies – encrypt patient data. However, malpractice attorneys and firms are not specifically mentioned in the act.

While the lost information was password protected, it was not encrypted. The law firm has now begun encrypting its data and is exploring alternate data storage methods.