Bloomington, Indiana-Based Premier Healthcare has recently reported the theft of an unencrypted laptop computer containing the protected health information of 205,748 patients.
Patients’ names, dates of birth, addresses, medical records, health insurance information, clinical information, and medical record numbers were stored on the device. Premier Healthcare said 1,769 patients also had their financial information and Social Security numbers exposed. Patient data were stored in emails, PDF files, spreadsheets and screenshot images of billing statements.
The laptop computer was stolen from the billing offices of the physicians’ group on 1180 South Liberty Drive in Bloomington on January 4, 2016. The offices were locked and alarmed, and the data on the laptop were protected by a password; however, they were not encrypted.
The offices are not believed to have been targeted by thieves looking to gain access to the protected health information of patients, and to date, no evidence has been uncovered to suggest that any data on the laptop have been used inappropriately. The break-in and laptop theft were reported to local law enforcement; however, the device has not been recovered.
Patients are in the process of being notified of the exposure of their protected health information although it is unclear whether credit monitoring and identity theft protection services are being offered to affected individuals.
Premier Healthcare has announced that it has taken steps to improve security and has already started encrypting data on all of its computers and laptops. Security protocols have also been reviewed to prevent repeat thefts. Premier has also vowed to prosecute the individual responsible for the theft to the fullest extent of the law, should the perpetrator be identified.
HIPAA Rules require all covered entities to conduct a full risk assessment to identify security vulnerabilities that could potentially allow the protected health information of patients and health plan members to be accessed by unauthorized individuals. HIPAA does not demand that data encryption is used for stored PHI, although encryption is an addressable standard. If a covered entity determines that it is not appropriate to use data encryption, other protections must be put in place to ensure that PHI is appropriately protected. If the decision is taken not to encrypt PHI at rest, covered entities must document the reasons why.
Many healthcare providers are now using data encryption on all portable devices used to store PHI to ensure that in the event of loss or theft of the devices, patient data will not be exposed.