HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Burglary of Vermont Medical Practice Reported: PHI of 2,000 Patients Exposed

The offices of Vermont-based physician, Max. M. Bayard, MD PC, have been burglarized and a number of electronic devices have been stolen, resulting in the Protected Health Information (PHI) of approximately 2,000 patients being exposed. According to a breach notice posted on the website of the Vermont Attorney General, the burglary occurred on August 5, 2015.

By today’s standards, the data breach exposed a relatively small number of patient records; however the breach is particularly serious as patient names, dates of birth, Social Security numbers and Medicare/Medicaid numbers were stored on the computers. The exact information needed by identity thieves to commit fraud. Other data exposed varies from patient to patient, and includes health information such as medical diagnoses, treatment information, and treatment dates.

Patients face a high risk of fraud and identity theft. To reduce the risk of harm and loss, all affected patients have been offered a year of free credit monitoring and identity theft repair services. Patients are also covered by a $1 million identity theft insurance policy.

Patients are advised to sign up for the services promptly, as the 12 month period starts from the date the breach notification letters were issued: September 11, 2015; not the date the services are activated.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Additional Protections put in Place to Prevent Future Data Breaches


Breach response procedures were executed immediately after the discovery of the data breach. Law enforcement officers were notified, and changes were made to safeguard patient data. Dr. Bayard arranged for the firewall and email account passwords to be changed, along with login credentials.

Additional security measures are also in the process of being put in place, which include new administrative, technical and physical safeguards. CCTV security cameras are to be installed on the premises, new data security policies will be implemented and the staff is to receive further training on data security. Dr. Bayard is also arranging for all computers to be protected by data encryption software.

Equipment Theft Highlights Importance of Using Data Encryption to Secure Patient PHI


Many healthcare providers choose to encrypt patient healthcare data to reduce the risk of information being accessed by unauthorized parties. High risk devices such as laptop computers and portable storage drives often have data encrypted, but it is important to consider encrypting all stored electronic healthcare data, regardless of where that information is located. Desktop computers may not be as portable, but this burglary, along with a number of other recent break-ins at physicians’ offices, have highlighted the importance of extending data encryption to all devices used to store ePHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.