HIPAA Business Associate Reports 31K Record Data Breach

Omaha-based Seim Johnson, a business associate of a number of healthcare providers in Nebraska and beyond, has announced that one of its laptop computers was stolen in Nashville, Tennessee, exposing nearly 31,000 healthcare patient records.

The laptop computer contained the protected health information (PHI) of 30,972 healthcare patients, 4,200 of whom were patients of Community Hospital in McCook, Nebraska. It is not clear which other healthcare providers were working with Seim Johnson and have been impacted by the data breach.

The types of PHI exposed varied from patient to patient, although many had their name, patient identification number, medical record number, or a visit number exposed. In a limited number of cases, Social Security numbers were compromised, although no financial information was stored on the laptop.

Patients are in the process of being informed of the privacy breach. If a Social Security number was stored on the laptop, patients will have been specifically informed of this in their breach notification letter.

It is company policy at Seim Johnson to encrypt all data stored on laptop computers, which are also protected with a password. Encryption software was used to protect the data stored on the stolen laptop, although an investigation into the incident revealed that the data encryption software was likely not to have been functioning correctly. Since it cannot be confirmed whether the encryption protected data stored on the laptop, the company has begun notifying all patients of a potential breach of their confidential data.

HIPAA Business Associate Data Breaches Now Something of a Rarity

Following the introduction of the HIPAA Omnibus Rule, business associates of covered entities had a torrid time with many reporting data breaches in the months that followed. However, now it is a relatively rare for a business associate of a HIPAA covered entity to suffer a data breach.

The last business associate data breach before the recent announcement of the Seim Johnson laptop theft was that of pharmacy benefits manager EnvisionRx. A mailing error resulted in names, medication details, and dates of service of 540 individuals being inadvertently disclosed. That privacy breach reported to OCR in October, 2015., as was a breach at Insurance Data Services, from whom 2,918 paper records were stolen.

Sunquest Information Systems reported the theft of a laptop computer containing 2,100 records in September, and EBPMA reported a 1,494-record breach in July. Also reported in July was the Medical Informatics Engineering data breach, which impacted 3,900,000 individuals.

A total of 15 data breaches were reported to have involved business associates in 2015 out of the 267 data breaches reported to OCR all year. This is a considerable improvement on 2014 and 2013, when business associates were involved in 78 and 72 data breaches respectively.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.