HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

8,000 Patients Notified of PHI Exposure After Office Burglary

A limited amount of protected health information (PHI) of almost 8,000 patients of Brevard Physician Associates has been exposed after a desktop computer was stolen in a burglary.

The incident occurred on September 4, 2017 – Labor Day – when the offices were closed. In the early morning, thieves broke in and stole three desktop computers.

The burglary triggered the alarm system and police responded to the incident, although not in time to apprehend the criminals. A forensic analysis of the office was performed, although to date the individuals responsible have not been apprehended and the computers not recovered.

Two of the computers did not contain any protected health information, but the third computer had five audit files saved to the hard drive. The information in those audit files was limited, although there was sufficient information to warrant the issuing of breach notifications to patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Brevard Physician Associates acted quickly and dispatched breach notification letters to affected patients well within the timeframe allowed by the HIPAA Breach Notification Rule. In total, 7,976 patients were potentially impacted and had the following information exposed: Names, names of insurance providers, CPT codes for the services provided, and the amounts charged for services.

The HIPAA Security Rule does not demand the use of encryption, although if the decision is taken not to encrypt data, an alternative, equivalent control must be employed to safeguard the confidentiality, integrity, and availability of PHI. While the computers were not encrypted, they were protected with passwords and strong passwords had been used. Brevard Physician Associates also reports that the devices can be remotely wiped of all data, and that safeguard has been triggered. If the devices are connected to the Internet, data will be remotely wiped.

Brevard Physician Associates believes the risk – and future risk – of identity theft and fraud as a result of the incident is minimal. Even though addresses, dates of birth, telephone numbers, Social Security numbers, financial information and insurance ID numbers were not exposed and could not be accessed by the thieves, the decision has been taken to offer all affected patients 12 months of complimentary credit monitoring services.

Brevard Physician Associates should be commended for its rapid breach response, prompt issuing of notifications, and for the steps taken to mitigate risk.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.