Share this article on:
New West Health Services has started notifying 25,000 patients about the loss of an unencrypted, password-protected laptop containing extensive Protected Health Information.
New West Health Services Data Breach Affects 25,000 Patients
New West Health Services, a Helena, MT., based not-for-profit provider of sponsored health plans, including Medicare Advantage and Medicare Supplement plans, has reported the theft of one of its laptop computers.
New West, doing business as New West Medicare, announced on January 15, 2016., that the laptop computer contained the records of approximately 25,000 plan members.
The device was password protected but this is not sufficient protection to prevent PHI from being accessed, as passwords can all too easily be cracked. Had the laptop computer been encrypted, no patient health information would have been exposed and it would not have been necessary for breach notices to have been issued.
However, since there is a possibility that the PHI of patients could be accessed and used inappropriately, HIPAA requires a breach notice to be issued to all affected individuals. New West CEO Angela E. Huschka explained in a statement that “Out of an abundance of caution, New West is proactively notifying impacted members so they can take steps to safeguard their personal information.”
Extensive PHI Stored on the Unencrypted Laptop
Some customers only had their name and address stored on the laptop. Others were not so fortunate. Certain customers had a considerable amount of personal data exposed in addition to their name and address. This included Social Security number, date of birth, driver’s license number, and Medicare claim number.
The wording of the breach notice suggest only a limited amount of data were exposed for each patient, but those data include highly sensitive information such as bank account details, credit card numbers (along with expiry dates and CVV codes), health information, medical histories, health condition diagnoses, prescription information, and Medicare premium amounts.
New Health reported the theft to law enforcement and initiated an investigation into the breach immediately upon discovery of the theft. It is not clear from the data breach report when the theft actually occurred, and the Office for Civil Rights has yet to list the data breach on its breach portal.
In order to address the risk of identity theft and fraud, all affected individuals have been offered credit monitoring and identity theft protection services for a year without charge. Given the extent of the data that may have been exposed, breach victims should initiate those services immediately and should also obtain a credit report from each of the credit monitoring agencies (Experian, Equifax & TransUnion). They should also check Explanation of Benefits statements carefully for any suspicious entries.
New Health has said that it has not uncovered any evidence to suggest that data have been used inappropriately.
Huschka explained in a press release that New Health will be “installing additional security on all company laptops, enhancing education for our employees, and strengthening our data security policies and practices.” It is not clear whether those security measures will include encrypting the data stored on mobile devices.