Denton Heart Group, located throughout Dallas, has notified 21,665 patients that their protected health information has been compromised as a result of the theft of a hard drive from a locked closet.

The hard drive that was in the closet contained the group’s backup data from the practice’s electronic health system—which included apparently of all of their patients’ information over the span of 8 years.

The stolen data included patients’ demographic data, which may have included name, address, date of birth, driver’s license numbers, Social Security numbers, insurance information and policy numbers, physician names and diagnoses, conditions, lab results, and medications from 2009-2016.

Lessons learned? Reconsider data destruction practices so PHI is not kept longer than is legally required, and data security practices that include not keeping back up tapes of your entire EMR in a locked closet on the premises.