Share this article on:
Aspire Indiana has announced that the PHI of 45,030 individuals had been obtained by thieves in a Nov 7, burglary of its administrative offices. The perpetrator(s) stole a number of laptop computers containing unencrypted PHI, including 1,548 identifiable Social Security numbers.
This incident exposed more Protected Health Records than the December’s Sony Pictures Entertainment Health and Welfare Benefits Plan breach and January’s UMass Memorial Medical Group HIPAA breach combined.
Aspire Indiana, Inc., is a private behavioral and mental health not-for-profit organization with administrative offices in Noblesville, Indiana. It was these offices that were burglarized according to the notice and the crime has has been reported to law enforcement which is conducting an investigation. It is not clear whether the thieves broke into the offices with the intention of stealing medical records.
As soon as the theft of the PHI was discovered, the company immediately embarked on a process of damage mitigation. It commissioned a forensic analysis to determine exactly what data was stored on the laptops and which patients had been affected.
So far the forensic analysis has revealed that Protected Health Information may have been accessible via the emails that were stored locally on the laptops. According to the notice, “Clients’ medical record number and limited personal health information used for internal business purposes may also have been contained on the laptops. The laptops did not include any electronic medical health records, which remain secure.”
Aspire has issued breach notification letters to all affected individuals by post and has encouraged them to take action to protect their identity and prevent medical or benefit fraud. They are being offered credit monitoring services through ID Experts.
Aspire President and CEO, Rich DeHaven, issued a statement in which he reassured patients that the company is committed to improving security. He said “We have taken steps to enhance our security, including upgrading our alarm and security systems. We remain committed to continually improving our IT and physical security to further protect our data and our clients.”
The latest breach is another example of where data encryption could potentially have prevented PHI from falling into the hands of criminals. If data is encrypted in transit and while at rest, the loss of theft of a device would be unlikely to result in protected health information being exposed.
Data encryption is only addressable, not mandatory, under HIPAA regulations. The flexibility afforded healthcare providers under the Security and Privacy Rules has come under criticism in recent months as the volume of victims of HIPAA data breaches has risen.