Business Associate Starts Issuing Notifications About August 2018 Laptop Theft
A Massachusetts business associate has discovered the electronic protected health information (ePHI) of 2,088 individuals has potentially been viewed by unauthorized individuals. The ePHI was stored on an employee’s laptop computer that was stolen on August 23, 2018.
RSC Insurance Brokerage, dba Re-Solutions, started notifying affected healthcare providers about the breach of their patients’ PHI on January 22, 2019, 5 months after the discovery of the theft of the laptop.
According to the breach notice submitted to the California Attorney General, a third-party cyber security firm was called in to help determine what files had been stored on the laptop, the types of information that was accessible, and how many individuals had potentially been impacted.
The theft was reported to law enforcement at the time and the employee’s credentials were changed to ensure that the laptop could not be used to access RSC systems. However, files were stored on the laptop and could potentially be accessed as while the device was protected with a password, it was not encrypted.
No evidence of unauthorized data access was discovered, and RSC said no reports have been received to suggest there has been any misuse of the data.
To protect affected individuals from identity theft and fraud, complimentary membership to Experian’s IdentityWorks identity theft protection service has been offered for 12 months. Affected individuals have also been advised to check their explanation of benefits statements from their health insurer for services that are listed but have not been received.
RSC said that security measures are being enhanced to prevent any information stored on portable electronic devices from being exposed in the future.
The Department of Health and Human Services’ Office for Civil Rights (OCR) was notified about the breach on March 1, 2019. The HIPAA Breach Notification Rule requires notification letters to be issued within 60 days of the discovery of a breach. It is unclear why it took so long to determine that PHI has been exposed.
Arizona Medicaid Agency Mailing Error Impacts 3,146 Individuals
Arizona’s Medicaid agency, the Arizona Health Care Cost Containment System (AHCCCS), has announced that it has experienced a privacy breach as a result of an error mailing IRS 1095-B forms to Arizona Medicaid recipients. IRS 1095-B forms are reports that an individual has been enrolled in a qualified health plan.
AHCCCS sent a mailing to 1.87 million members earlier in 2019 but discovered that 3,146 of the forms had been delivered to incorrect addresses. No Social Security numbers were detailed on the forms, only names and dates of birth.
In all cases, the mailing error resulted in that information being disclosed to one other individual. AHCCCS has started mailing individuals affected by the breach to notify them of the privacy breach, which has been attributed to a programming error.