Bizarre HIPAA Breach Results in Doctor Having Medical License Suspended

A psychologist in Washington State has recently had his medical license suspended after his personal laptop, containing unencrypted data on his patients, was stolen. Laptop thefts often result in healthcare data being exposed, although what makes this case peculiar is the laptop was stolen by a prostitute the doctor had just visited.

Having failed to take sufficient cash, the doctor had to visit an ATM and returned to find no laptop or prostitute. The incident occurred on February 4th, but the theft of the laptop was not reported to the police until February 14th. The Department of Health and Human Services was notified of the incident three days after the laptop had been stolen, according to a Statement of Charges by the Washington State Department of Health. A total of 652 patients were reported to have potentially been affected by the breach.

However the psychologist did not was not truthful with the police and failed to inform them of the facts and a false report was also made to the HHS. Eventually the police were informed that a prostitute had stolen the laptop and they were able to swiftly recover it from a pawnshop. There was no suggestion that the data had been viewed by any unauthorized individuals, although since it was not encrypted it remains a possibility.

It was discovered that the doctor was on notice with the State Board and was being treated for cannabis and alcohol dependency; he has also previously been arrested for driving under the influence of alcohol. However, the suspension was due to the HIPAA breach, which in this case had a rapid and direct impact on patients.

According to the statement, the psychologist’s actions directly caused harm to patients. The theft and data breach caused a number f issues. It was necessary to “re-engage with new providers, retelling their stories and answering questions, in some cases requiring the clients to repeatedly re-disclose events that were unpleasant and even traumatic to them.  The clients’ eligibility for benefits and access to health care were delayed.”

Had the data on the laptop been encrypted, a HIPAA breach would have been avoided and it is possible the psychologist would have kept his position. Data breaches only occur if the data could potentially be accessed and encryption prevents this. Loss of an encrypted laptop is not reportable to the HHS, neither is the theft of a personal laptop mandatory to report.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.