HealthSouth Rehabilitation Hospital Announces 1,359-Record Data Breach

Only a few hours after the announcement of the theft of an unencrypted laptop computer from the vehicle of an employee of the New Mexico Department of Health comes news of another.

The latest laptop theft affects 1,359 patients of the HealthSouth Rehabilitation Hospital in Round Rock, TX. An employee of the hospital left an unencrypted laptop computer in the trunk of a vehicle from where it was stolen. As with the NM Department of Health laptop theft, the incident occurred in October. Covered entities have up to two months to issue breach notification letters to patients and the Department of Health and Human Services’ Office for Civil Rights. The notification letters were sent on Tuesday 22, December and OCR has now been notified.

The theft was discovered by HealthSouth on October 26, 2015, five days after the theft actually took place. Once the theft was discovered, the incident was reported to Austin law enforcement. It is not clear why it took five days for hospital staff and law enforcement officers to be notified. The laptop computer has not subsequently been recovered.

The laptop computer was password protected, so the data would not be accessible without the password being cracked. This protection should ensure that data is not exposed, although hackers are able to crack passwords. Without data encryption there is a possibility that the data stored on the device could be accessed.

The data stored on the laptop include patient names, dates of birth, home addresses, contact telephone numbers, referral ID numbers, and medical record numbers. Social Security numbers, health insurance information, and medical diagnoses were also stored on the device. If the password is cracked, the thieves would have all the information needed for them to commit identity theft and insurance fraud. With tax season almost upon us, it would be the ideal time for the thieves to submit fraudulent tax returns on behalf of the patients.

Unfortunately, the theft occurred before HealthSouth Rehabilitation Hospital was able to encrypt the laptop. The hospital, formerly known as Reliant Rehabilitation Hospital Central Texas, was taken over by HealthSouth on October 1, 2015.

Reliant did not encrypt data on portable devices, although HealthSouth does ensure all laptop computers are encrypted to reduce the risk of PHI exposure. In accordance with HealthSouth data security policies, all laptop computers were had been scheduled to be updated and encrypted. HealthSouth had ordered the return of all Reliant Rehabilitation Hospital laptop computers, but the theft occurred before the laptop could be recalled.

With the breach notification letters being mailed so close to Christmas, there is a possibility that some will be delayed. Some patients may therefore receive them over two months after the theft was identified, and certainly more than two months after the theft occurred.

While the data breach will come as bad news for patients, they have been offered identity theft protection and credit monitoring services by HealthSouth for a period of one year without charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.