Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services
Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months.
The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information.
The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail.
Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details.
To date, only one of those incidents has appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal. That incident, reported on November 16, indicates 909 patients were impacted. It is unclear whether this is the first or second laptop theft.
In response to the breaches, Rocky Mountain Health Care Services has been reviewing its policies and procedures with respect to the security of patient information and portable electronic devices, and is considering incorporating mobile device management technologies and data encryption for its portable electronic devices.
As the Office for Civil Rights breach portal shows, the loss and theft of unencrypted portable electronic devices is still a major cause of healthcare data breaches, and one that the use of data encryption technologies can easily prevent. So far in 2017, there have been 31 breaches reported by covered entities and business associates that have involved the loss or theft of unencrypted laptop computers and other portable electronic devices.