The Barrington Orthopedic Specialists data breach potentially exposes the Protected Health Information (PHI) of 1,009 patients.
The Barrington Orthopedic Specialists data breach occurred when an unencrypted laptop computer and EMG machine were stolen from a transport vehicle. The information exposed was limited in nature, and only included patient names, dates of birth and EMG test results.
The Illinois-based healthcare provider, like many other HIPAA-covered entities, faces high operational costs and budgetary constraints, which has meant it needed to transport equipment between its centers in order to provide certain medical services to patients.
The Barrington Orthopedic Specialists data breach was discovered on August 18, 2015, with the theft having occurred at some point between August 14 and August 18.
The transportation of computer equipment and medical devices potentially places Protected Health Information (PHI) and Personally Identifiable Information (PII) at risk of exposure, should that equipment be intercepted and stolen, as proved to be the case here.
Following on from the theft, Barrington Orthopedic Specialists has purchased additional equipment and will no longer need to transport the computer hardware and EMG machines between locations, eliminating the risk of interception of patient data in transit. As an additional precaution against theft and data exposure, the healthcare provider will now be storing PHI and PHI centrally on its servers, and not on any laptops associated with its EMG machines.
All affected patients have now been notified of the potential exposure of their PHI and PII by mail, in accordance with the HIPAA Breach Notification Rule. The Department of Health and Human Services’ Office for Civil Rights has also been informed of the data breach. That notice was received on September 24, 2015: Well within the time frame stipulated by HIPAA regulations.
Healthcare providers are not bound to offer credit monitoring and identity theft protection services to patients following a data breach. They must assess the potential for harm and implement risk mitigation measures commensurate with the level of risk faced by patients. Since Social Security numbers, financial information and other highly sensitive data were not exposed in the incident, patients are not believed to face a high level of risk of their information being used inappropriately.
According to the company’s breach notice to patients, “Due to the limited information contained on the unit, we do not believe there is any financial identity risks as only name and birthdate and test results were breached.”