Car Theft Results in Exposure of PHI of 2900 Individuals

Insurance Data Services (IDS), a Wyoming-based medical billing company, has started to send breach notification letters to patients of one of its HIPAA-covered clients, Claystone Clinical Associates, to advise them of the potential exposure of some of their Protected Health Information (PHI).

IDS had contracted a West Michigan based Delivery Service to deliver client mailings; however the vehicle used by the courier company was stolen on September 15. The vehicle theft occurred at Zondervan Publishing in Kentwood, MI.

The vehicle theft was reported to law enforcement officers and an investigation into the theft has commenced. Fortunately, the theft was captured by closed-circuit television cameras; however, the recordings revealed a masked and gloved individual entering the vehicle and driving away. Consequently, it has not been possible to identify a suspect at this time. The vehicle has now been found and recovered, but the contents had been taken by the thief.

No electronic PHI was exposed; but patient mailings were taken from the vehicle. The information contained in the mailings did not include any Social Security numbers, financial information, dates of birth or medical insurance numbers; however patient names, phone numbers, addresses, treatment codes, diagnosis codes, account balances and health insurer names have potentially been compromised. Approximately 2,900 individuals are understood to have been affected by the security breach.

Under HIPAA Rules, covered entities and their Business Associates are allowed up to 60 days to issue breach notification letters to patients affected by a data breach. Many choose to delay notifying the victims for a number of weeks; however IDS has acted quickly and started to notify affected patients within 10 days of the breach in an effort to mitigate the risk of identity theft. IDS has not received any information to suggest data have been used inappropriately so far. As a precaution the company has provided affected patients with information about the steps that can be taken to protect their identities.

Healthcare providers and their Business Associates can take a number of steps to safeguard the PHI of patients and health plan members, such as encrypting electronically stored data; however, paper files cannot be encrypted.  As such, security incidents such as this are difficult to prevent.

It is not clear whether the vehicle driver was to blame in any way for the vehicle theft, but IDS has taken the decision not to use the company for any future deliveries. IDS has also announced that it will be revising its policies to prevent similar incidents from occurring in the future.

There have been a number of cases of PHI theft reported to the Department of Health and Human Services’ Office for Civil Rights in recent months, with August being a particularly bad month for HIPAA-covered entities. Loss and Theft of PHI was the biggest cause of data breaches for the month of August.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.