An office break in and subsequent computer theft has lead to the possible exposing of the protected health information (PHI) of up to 8,000 clients of Brevard Physician Associates. has been exposed after a desktop computer was stolen in a burglary.
The break in happened on Labor Day September 4, 2017 when Brevard Physician Associates business premises was closed. Thieves gained access to the offices early that morning and illegally removed three desktop computers.
The office’s alarm system notified the police who attended the scene immediately but were unable to apprehend the individuals responsible for the break in. The police completed a forensic analysis of the location however, so far, this has not lead to any arrests being made in the investigation and the computers in question have not been recovered.
Of the computers stolen, two did not store any protected health information, but the third containted five audit files on its the hard drive. The information in those audit files was limited, although there was enough data to lead tothe issuing of breach notification warnings to patients.
The firm Brevard Physician Associates moved quickly and broadcast breach alert notification letters to affected clients within the specified HIPAA timeframe. In total, 7,976 clients were potentially affected and had names, names of insurance providers, CPT codes for the services provided and the amounts charged for services possibly exposed.
The HIPAA Security Rule does not demand the obligatory use of encryption on files, although if the decision is taken not to encrypt data, another, equivalent security control must be employed to guard the confidentiality, integrity, and availability of PHI. While the computers were not encrypted, they were safeguarded with passwords and strong passwords had been implemented. Brevard Physician Associates also reports that the devices can be remotely wiped of all data stored on the hard drives, and that safeguard has been activated. If the devices are connected to the Internet, data will be remotely wiped from the hard drives.
Brevard Physician Associates believes the risk of harm – and future risk of harm – of identity theft and fraud as a result of the incident is as low as possible. Despite the fact that addresses, dates of birth, telephone numbers, Social Security numbers, financial information and insurance ID details were not accessed and could not be viewed by the thieves, steps have been taken to offer all affected patients 12 months of free credit monitoring services.