Share this article on:
Briar Hill Management, a Ridgeland, MS-based provider of management services for skilled nursing facilities in Mississippi, has lost a laptop computer containing the sensitive data of 2,000 nursing facility residents.
The laptop was discovered to be missing on February 26, 2016, although at the time it was not believed that the laptop contained any resident health information. However, according to the breach notice recently uploaded to the company website, an investigation into the incident revealed that the employee who had been assigned the laptop computer had breached company policies and had downloaded sensitive information onto the device.
The data stored on the unencrypted laptop included residents’ names, addresses, birth dates, dates of service, Social security numbers, prescription information, and medical records. Briar Hill Management says “the laptop did not contain all of these types of information for every affected resident.” The breach notice does not state when Briar Hill Management discovered sensitive information had been exposed.
Briar Hill Management conducted an “exhaustive” search for the device, but it was concluded that the laptop was lost off-site. Briar Hill Management says the employee also breached company policies by failing to “properly secure the laptop when outside of the company’s office.” Law enforcement has been notified of the loss, but after more than 8 months since the laptop was lost it can be safely assumed that the device will not be recovered.
Residents impacted by the breach have been informed that the company’s investigation into the incident has not uncovered any evidence to suggest that residents’ information has been improperly accessed, although as a precaution, individuals affected by the breach have been offered a year of credit monitoring and identity theft protection services without charge.
To prevent future breaches of this nature, Briar Hill Management has implemented additional safeguards for all mobile devices used by company employees. The employee responsible for the device has also been sanctioned.