Share this article on:
United HomeCare Services had been diligently implementing policies and procedures to protect the PHI of its patients which included installing software to encrypt the data on all of its laptop computers. Upgrading data security measures can take some time, and while laptops had been scheduled for data encryption some devices only employed password protection to protect the data.
On January 8, 2013 a billing manager at the hospital returned home with a laptop computer which she was authorized to take off the premises. On the way home from the hospital the employee made a stop to visit a friend who was ill. She left the laptop on the front seat of the car, locked the doors and entered her friend’s house. Despite the visit only lasting 10 minutes, this was enough time for thieves to smash her car window and steal the laptop.
United HomeCare Services was made aware of the incident and the local authorities were notified of the theft. UHCS reported the theft to the OCR the following day, and while it was known that the laptop had some patient data stored on the hard drive, it was not immediately clear how many patient records had potentially been compromised and the nature of the data recorded on the laptop.
During the investigation UHCS was able to determine from the roaming profile that the records stored on the laptop dated back to 2002, and included confidential information on 1,318 patients of United Home Care Services of Southwest Florida patients and a further 12,299 patients of United HomeCare Services, Inc.
In accordance with the HIPAA Privacy Rule, all affected persons were notified of the breach in February. A letter was sent to all affected patients to inform them that their PHI may have been viewed by unauthorized individuals. However, it later became known that while the majority of patient data involved only names and addresses – few medical or diagnosis codes were present in the data – some patient records included a date of birth and a Social Security number. A second notification letter was sent to the patients on March 8, 2013 to confirm that the exposed data may have included additional sensitive information.
In order to mitigate any damage caused, UHCS has offered 2 years of credit monitoring services to all affected patients and a private investigator has been employed to try to recover the laptop. To date, neither the PI nor the police have been able to recover the device and render the data secure.
UHCS has now ensured that all data on laptop computers is encrypted and the staff has been retrained on data security and its obligations under HIPAA regulations. The OHC has yet to complete its investigation and while this incident has breached HIPAA regulations, no fines have been issued to date.