25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

U.S HealthWorks HIPAA Breach Raises Issue of Data Encryption

Posted By on Jun 2, 2015

U.S. HealthWorks, a healthcare provider based in Valencia, California, has reported a breach of PHI and PII after an unencrypted laptop computer was stolen from the vehicle of a company employee.

Theft of Laptop Computer from Unattended Vehicle

The incident occurred on April 21, 2015, and was discovered by the healthcare provider the following day. The sample breach notification letter – posted on the State of California DoJ Attorney General’s website – explains that a company employee had taken a laptop computer and left it in a vehicle from where it was stolen. Upon discovering the theft, the incident was reported to law enforcement officers, and an investigation was commenced.

U.S HealthWorks started an internal investigation to determine the exact nature of the data stored on the laptop; a process which has taken some time to complete. According to the breach notification letter – dated May 30, 2015 – it took until May 5, 2015, to determine that the laptop computer was password protected but lacked data encryption software. The healthcare provider was able to determine that Protected Health Information (PHI) and Personally Identifiable Information (PII) could be accessed through the device. The number of individuals affected by the HIPAA breach has yet to be disclosed to the media.

The information potentially exposed includes names, addresses, dates of birth, job titles, and Social Security numbers. In accordance with the Health Insurance Portability and Accountability Act, credit protection services are being offered without charge for a period of one year to mitigate any damage caused, although the healthcare provider believes there is a low risk of any information being used. Credit monitoring services were only provided “out of an abundance of caution.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Password Protection is not Sufficient to Prevent Access to PHI

Passwords can offer a degree of security; however, they do not enough to prevent a HIPAA violation. Hackers are able to crack passwords, and without data encryption, any information stored on an electronic device can potentially be accessed and viewed if it is lost or stolen.

In order to improve security and prevent future data breaches the company will be taking a number of actions. According to the breach notice, “To help prevent something like this from happening again, we are enhancing our procedures related to deployment of laptops and full disk encryption.” The notice also says that regular audits will also be conducted “to help ensure compliance with U.S HealthWorks’ laptop encryption policy.”

U.S HealthWorks is a subsidiary of Dignity Health and operates more than 200 clinics in 19 states and is one of the nation’s largest workplace healthcare providers.

Issue of Data Encryption for Portable Devices Raised Again

Data encryption is not a requirement under the Health Insurance Portability and Accountability Act; it is only an “addressable” area.

According to the Department of Health and Human Services’ Office for Civil Rights:

“The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework”

“This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation.”

It may be against company policy to leave unencrypted laptops in unattended vehicles, but if members of staff are permitted to take portable devices containing PHI outside the area of control of the hospital then there is a considerable risk of a data breach. This should have been picked up in a risk assessment, and serious consideration given to encrypting the devices.

It is not clear in this case why the company elected not to use data encryption and what if any, alternative methods were employed to protect the data aside from a password. That is something that will need to be explained to the OCR if its auditors come knocking.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist