HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

North East Medical Services HIPAA Breach Reported: 69,246 Affected

A HIPAA breach has been reported by North East Medical Services. The Protected Health Information of almost 70,000 patients has potentially been exposed after an unencrypted laptop was stolen from the car of a NEMS employee’s car.

According to a breach notice sent to the California Department of Public Health, the incident occurred on July 11, 2015. The laptop was left in the locked trunk of a vehicle from where it was subsequently stolen. The healthcare provider was alerted to the equipment theft on July 13.

North East Medical Services HIPAA Breach Exposed “Limited Personal Information”


The investigation launched following the crime revealed that the laptop contained data relating to 69,246 patients, which according to the breach notice, consisted of one or more of the following data elements: Patient name, gender, date of birth, address, phone numbers, and pay/insurer information. No medical records were stored on the laptop, although some patients’ diagnoses, test results, medications, treatments and appointment times were listed in spreadsheets stored on the computer.

No Social Security numbers or financial information were exposed in the incident, however, 28 individuals had their Social Security numbers revealed via their insurer’s account numbers, which contained a sequence of numbers discovered to include their Social Security number. Identity theft protection services have been offered to those 28 individuals.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

NEMS Initiates Rapid and Comprehensive Breach Response


In contrast to many healthcare providers who delay the issuing of breach notices for up to two months after a security incident has been suffered, patients affected by the North East Medical Services HIPAA breach were alerted to the incident promptly and all 69,246 letters have now been dispatched.

The breach response was prompt and thorough, severely limiting the risk of losses being suffered by the victims. As soon as the theft was discovered, login information was changed by the employee concerned to prevent any data from being exposed. The company conducted a risk assessment on the same day that the theft was discovered, and emergency procedures were initiated. Two days later the decision was taken to prevent employees from leaving the healthcare provider’s facilities with company laptop computers. Notification letters were sent to patients on July 31, just over two weeks after the theft was discovered. The healthcare provider has also now encrypted data on all of its laptop computers.

Further training has been provided to staff members, the media has been alerted to the breach, and the security incident is being reported to federal and state authorities, as well as stakeholders and third party payers, according to NEMS Privacy Officer, Linda Kline.

Had NEMS been more proactive and encrypted the data on its laptops earlier, the data breach would have been avoided; however, the fast breach response and damage mitigation efforts by both the employee and the healthcare provider, has reduced the risk of damage, loss and harm to the minimum level.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.