Patient Data Exposed in Laptop Theft Incidents
Incidents involving the theft of portable electronic devices containing protected health information are now relatively rare, but two incidents were reported this month.
Former Multnomah County Health Department Employee Failed to Return Laptop Containing Patient Information
Multnomah County Health Department in Portland, OR, has notified 1,092 Multnomah County Health Center patients that some of their protected health information has been exposed. On March 4, 2024, the Health Department dismissed an employee who failed to return their Health Department laptop. When employees are dismissed, their network account, email, and access to clinical systems and electronic medical records are terminated, as was the case with this dismissal; however, some patient data was stored on the laptop. While employed, the former employee was authorized to view the information, but that authorization ended when the employee was terminated.
On April 24, 2024, the Health Department’s anti-malware system generated an alert about suspicious activity on the unreturned laptop indicating the laptop was being used by the employee. The IT team investigated and determined that the employee had logged into the computer using the credentials for an old account and they discovered that two spreadsheets that included patient data had been saved to the laptop. The exposed data included names, medical record numbers, Medicaid IDs, dates of birth, gender, race, ethnicity, clinic, and dates of service.
A command was issued to remotely delete the data when the laptop next connects to the Internet and the affected patients have been notified about the incident and have been offered a complimentary identity theft protection plan. The failure of the employee to return the laptop after multiple requests has also been reported to the Portland Police Bureau and the Health Department has strengthened technical protocols and training around County-issued computers to prevent similar events in the future.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Patient Information Stored on Stolen TimeDoc Laptop
TimeDoc, a virtual care management service provider, has recently notified 1,880 patients about the theft of a laptop computer containing their protected health information. On March 13, 2024, a laptop computer was stolen from a TimeDoc employee who was traveling on public transport. The laptop was password-protected, but not encrypted.
The employee’s password has been changed to reduce the risk of unauthorized data access and the theft has been reported to law enforcement. A review was conducted which revealed patient data such as names, dates of birth, chronic conditions, and the name of the practice where the patient received treatment may have been downloaded to the laptop. The affected medical practices were notified about the data exposure between April 5 and 8, 2024, and individual notifications have been mailed to the affected patients. Steps have since been taken to improve laptop security to prevent similar incidents in the future.
