8,000 Patients Notified of PHI Exposure After Office Burglary

Share this article on:

A limited amount of protected health information (PHI) of almost 8,000 patients of Brevard Physician Associates has been exposed after a desktop computer was stolen in a burglary.

The incident occurred on September 4, 2017 – Labor Day – when the offices were closed. In the early morning, thieves broke in and stole three desktop computers.

The burglary triggered the alarm system and police responded to the incident, although not in time to apprehend the criminals. A forensic analysis of the office was performed, although to date the individuals responsible have not been apprehended and the computers not recovered.

Two of the computers did not contain any protected health information, but the third computer had five audit files saved to the hard drive. The information in those audit files was limited, although there was sufficient information to warrant the issuing of breach notifications to patients.

Brevard Physician Associates acted quickly and dispatched breach notification letters to affected patients well within the timeframe allowed by the HIPAA Breach Notification Rule. In total, 7,976 patients were potentially impacted and had the following information exposed: Names, names of insurance providers, CPT codes for the services provided, and the amounts charged for services.

The HIPAA Security Rule does not demand the use of encryption, although if the decision is taken not to encrypt data, an alternative, equivalent control must be employed to safeguard the confidentiality, integrity, and availability of PHI. While the computers were not encrypted, they were protected with passwords and strong passwords had been used. Brevard Physician Associates also reports that the devices can be remotely wiped of all data, and that safeguard has been triggered. If the devices are connected to the Internet, data will be remotely wiped.

Brevard Physician Associates believes the risk – and future risk – of identity theft and fraud as a result of the incident is minimal. Even though addresses, dates of birth, telephone numbers, Social Security numbers, financial information and insurance ID numbers were not exposed and could not be accessed by the thieves, the decision has been taken to offer all affected patients 12 months of complimentary credit monitoring services.

Brevard Physician Associates should be commended for its rapid breach response, prompt issuing of notifications, and for the steps taken to mitigate risk.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On