Share this article on:
A burglary at the Roseville offices of Associated Dentists has exposed the Protected Health Information (PHI) and Personally Identifiable Information (PII) of an as of yet undisclosed number of individuals after the laptops of two physicians were stolen by the thief.
The theft occurred after working hours on Thursday March 19 and was discovered the following day. One of the laptop computers was encrypted, so it would not be possible for the thief to access any protected information. The other laptop was protected with a password, and while this does offer a rudimentary level of protection, for a hacker or computer expert it is unlikely to prove sufficient to prevent data from being viewed.
The data stored on the password-protected laptop included the names of patients, their addresses, dates of birth and Social Security numbers. In some cases additional information was stored in patient’s records such as email addresses, medical billing information, procedures performed, physician’s name, insurance carrier name and policy number and diagnosis information.
The risk of identity theft and insurance fraud is perceived to be low, and the breach notice was issued “out of an abundance of caution” according to Patrick Jacobwith, Associated Dentists’ Compliance Officer. “We performed a thorough investigation in order to determine the nature and scope of this incident. Because we do not have the laptop in our possession, Associated Dentists must assume there is a possibility that someone may have accessed certain patients’ protected health information.”
Due to the nature of the data exposed, all affected individuals are being offered a year of identity theft and credit protection services to ensure that in the unlikely event that the stolen data is used, patients will be protected. The press release also states that breach notification letters were starting to be sent on 15th May, 2015, and the Office for Civil Rights has also been notified of the breach.
Breach Notification Delays
The burglary took place on March 19, yet it took two months before Associated Dentists reported the incident to the Office for Civil Rights and started notifying patients. Under the HIPAA Breach Notification Rule, covered entities are required to report data breaches involving a combination of PHI and PII – and affecting more than 500 individuals – to the OCR and notify affected individuals within 60 days of the discovery of the breach.
This is a maximum time limit, yet some healthcare organizations delay the OCR report and the sending of breach notification letters until the last minute. It is not clear in this instance why it took Associated Dentists so long to put these important elements of the breach response into place, and why they were left to deadline day.
While it does not appear that the Breach Notification Rule has been violated, if letters are only starting to be dispatched on March 15th, they will not be received by the patients until after the deadline has passed.
Delaying issuing a breach notice is risky. HIPAA Rules say that covered entities must issue notifications without unreasonable delay and the OCR has fined organizations in the past for breach notification failures.
Data Encryption, Password Protection and HIPAA Reporting Requirements
When any device containing PHI and PII is lost or stolen, the incident is only reportable if the device is unencrypted, unless an encrypted device is lost or stolen with the security key. If no PHI is accessible, there is no HIPAA breach.
Password protection is not the same and does not offer a sufficient level of protection for PHI, and under HIPAA Rules the loss of a password-protected laptop is a reportable incident and the breach notification timescale applies.
Breaches involving fewer than 500 individuals do not need to be reported until the start of March the following year; however it is a good best practice to report data breaches as soon as all the information becomes available.
Should a covered entity fail to adhere to HIPAA Rules, penalties can be issued by state Attorney Generals and the OCR. A fine of up to $1.5 million is applicable in cases where HIPAA violations have been caused as a result of willful neglect.