Stolen Laptops Lead to Large Data Breach

data breachAHMC Healthcare, based in Alhambra, CA, reported that the theft of two laptops has resulted in 729,000 patients’ protected health information (PHI) being compromised.  This is the 11th largest HIPAA breach so far.

Surveillance video showed that a transient broke into an administrative office on October 12th and made off with two password-protected laptop computers, despite the video monitoring and the fact that the campus was gated and “patrolled by security.”  The theft was discovered two days later and reported to police, who are looking for a suspect identified through the video.  Patient names, Medicare and other insurance identification numbers, medical diagnosis and procedure codes, insurance and patient payment details, and Social Security numbers were all among the confidential data contained on the unencrypted laptops.  While officials at AHMC Healthcare said that there is no evidence that the data has been accessed or used, they are recommending that affected patients check their credit reports for evidence of potential fraud.

A notification letter mailed to patients on October 21st advised that the organization will be “expediting a policy of encrypting all laptops” in the aftermath of the computer theft and data breach.  In light of the HIPAA Omnibus Rule having gone into effect last month and tightening security rules governing PHI, this seems to be a case of “too little, too late,” and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), the agency responsible for enforcing the Privacy and Security Rules and investigating potential violations, will no doubt take an interest.  Approximately $16 million in penalties has already been collected by the office from sixteen organizations involved in previous HIPAA violations.

OCR director Leon Rodriguez intends to investigate and penalize groups more vigorously in the wake of the Omnibus Rule.  A class action lawsuit filed by patients affected by a data breach (the second largest) at Advocate Health Care in Illinois in August should also drive home the seriousness of this issue.  Patient privacy needs to be handled with the utmost caution, and whether you’re using electronic health records software like Medisoft Clinical, medical billing software like Lytec, or any software storing patients’ financial and protected health information, it is critical that you ensure that any data that could potentially leave the premises is encrypted.  Healthcare technology consultants at Microwize Technology can give you more information.