Share this article on:
West Virginia-based Coplin Health Systems has informed 43,000 patients that their PHI has potentially been exposed as a result of the theft of an unencrypted laptop computer from the vehicle of an employee.
Coplin Health was alerted to the theft on November 2, 2017. The theft was immediately reported to law enforcement and an investigation was launched, although at the time of issuing notifications, the laptop computer has not been recovered.
While it is possible that protected health information of patients was stored on the laptop, Coplin Health does not believe that was the case, although the possibility of data exposure cannot be ruled out with 100% certainty.
Coplin Health notes that the laptop had various security protections in place to ensure the privacy of patients in the event of the laptop being stolen. While the laptop could potentially be used to gain access to patient data, a password would have been required and it is not suspected that the thief had “the sophisticated knowledge and resources necessary to bypass the laptop’s security mechanisms.”
Further, Coplin Health’s IT department took rapid action to limit the potential for harm. The employee’s login credentials were changed to prevent the laptop from being used to access Coplin Health’s systems, and no attempts have been made to access its systems using the laptop since the device was stolen.
The chance of patient data being stored locally on the device is believed to be low, although if that was the case, the device would have contained files that included patient names, addresses, Social Security numbers, birth dates, financial information and health information. Out of an abundance of caution, 43,000 patients have been notified of the potential exposure of their PHI.
The incident has prompted Coplin Health to conduct a review of its security protections and actions have been taken to prevent a recurrence. Coplin Health will also increase monitoring to make sure policies and procedures are being following by its employees and any future breach of policies will result in disciplinary action being taken against the employees concerned.
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to consider the use of encryption, although the use of encryption is not mandatory. The decision about the use of encryption should be based on a risk assessment. If encryption is not implemented, alternative, equivalent measures must be used in its place. Coplin Health has not said whether it plans to augment its security protections with encryption in the future.