A North East Medical Services HIPAA breach has been reported which exposed the Protected Health Information of almost 70,000 patients after an unencrypted laptop was stolen from the car of a NEMS employee’s car.
According to a breach notice sent to the California Department of Public Health, the incident occurred on July 11, 2015. The laptop was left in the locked trunk of a vehicle from where it was subsequently stolen. The healthcare provider was alerted to the equipment theft on July 13.
The investigation launched following the crime revealed that the laptop contained data relating to 69,246 patients, which according to the breach notice, consisted of one or more of the following data elements: Patient name, gender, date of birth, address, phone numbers, and pay/insurer information. No medical records were stored on the laptop, although some patients’ diagnoses, test results, medications, treatments and appointment times were listed in spreadsheets stored on the computer.
No Social Security numbers or financial information were exposed in the incident, however, 28 individuals had their Social Security numbers revealed via their insurer’s account numbers, which contained a sequence of numbers discovered to include their Social Security number. Identity theft protection services have been offered to those 28 individuals.
In contrast to many healthcare providers who delay the issuing of breach notices for up to two months after a security incident has been suffered, patients affected by the North East Medical Services HIPAA breach were alerted to the incident promptly and all 69,246 letters have now been dispatched.
The breach response was prompt and thorough, severely limiting the risk of losses being suffered by the victims. As soon as the theft was discovered, login information was changed by the employee concerned to prevent any data from being exposed. The company conducted a risk assessment on the same day that the theft was discovered, and emergency procedures were initiated. Two days later the decision was taken to prevent employees from leaving the healthcare provider’s facilities with company laptop computers. Notification letters were sent to patients on July 31, just over two weeks after the theft was discovered. The healthcare provider has also now encrypted data on all of its laptop computers.
Further training has been provided to staff members, the media has been alerted to the breach, and the security incident is being reported to federal and state authorities, as well as stakeholders and third-party payers, according to NEMS Privacy Officer, Linda Kline.
Had NEMS been more proactive and encrypted the data on its laptops earlier, the data breach would have been avoided; however, the fast breach response and damage mitigation efforts by both the employee and the healthcare provider, has reduced the risk of damage, loss and harm to the minimum level.