43,000 patients of West Virginia-based Coplin Health Systems have been warned that their PHI may have been exposed following the theft of an unencrypted laptop computer from the vehicle of an worker at the organization.
Coplin Health was discovered the laptop theft on November 2, 2017. The theft was then reported to law enforcement and an investigation was initiated, although at the time of sending the warnings, the laptop computer in question has still not been found.
Though is possible that PHI of Coplin Health patients was stored on the laptop, the organization does not feel that was the case. However, the chance of data exposure occurring cannot be dismissed completely.
Coplin Health remarked that the stolen laptop had a range security protections in place to ensure the privacy of patients should the laptop be stolen. While the laptop could potentially be used to obtain access to patient data, a password would have been sought and it is not felt that the thief had “the sophisticated knowledge and resources necessary to bypass the laptop’s security mechanisms.”
Furthermore, Coplin Health’s IT staff took speedy action to limit the potential of harm being sustained by patients. The employee’s login credentials were amended to prevent the laptop from being used to gain access Coplin Health’s systems, and no logged attempts to access its systems using the laptop have been recored since the device was stolen.
The possibility of patient data being kept locally on the device is considered to be low, although if that did prove to be the case, the device would have stored data including patient names, addresses, Social Security numbers, birth dates, financial records and health data. As as additional measure to protect PHI, 43,000 patients have been notified of the potential exposure of their private health information.
Coplin Health, in the aftermath of the incident, have conducted an audit of its security protections and actions have been taken to block a recurrence of this incident. The Organization will also increase monitoring to ensure policies and procedures are being complied with by its employees and any future breach of policies will lead to disciplinary action being sanctioned against the employees concerned.
The Health Insurance Portability and Accountability Act (HIPAA) demands that covered entities review the use of encryption, although the use of encryption is not required legally. The policy decision about the potential use of encryption should be based on a thorough review. If encryption is not put in place, other equivalent measures must be adapted.