Share this article on:
The theft of a laptop computer from the vehicle of an Oceans Acquisitions employee has resulted in the protected health information of 659 patients from the Abilene region of Texas being exposed.
In May 2015, Oceans Acquisitions confirmed that all portable devices, including laptop computers, had sensitive data encrypted. In the event of theft or loss of a device, all PHI stored on that device would be protected. The encryption would prevent any unauthorized individual from being able to access stored data.
However, the laptop theft occurred on April 9, 2015, a month before Oceans Acquisitions ascertained that all devices were protected. While the healthcare provider believed the laptop computer theft did not place any data at risk of exposure, this has turned out not to be the case.
According to a substitute breach notice issued on February 2, 2016, Oceans Acquisitions determined that the laptop in question did contain the PHI of 659 individuals, and that those patients potentially had their PHI exposed. This came to light during an unrelated systems review, which was not linked to the laptop computer theft.
The data were stored in an email account that could be accessed through the computer. The data exposed included names of patients, medical record numbers, dates of birth, payer information, medical diagnoses, and admission dates. No financial information, insurance data, or Social Security numbers were stored in the email account or on the laptop.
Patients were notified of the possible exposure of their data in December, 2015 with the substitute notice issued as Oceans Acquisitions did not have up to date contact information for some patients. OCR was notified of the data breach on December 22, 2015.
While no evidence has been found to confirm that data have been accessed or used inappropriately, it is possible that the email account has been accessed and patient data viewed. Consequently, to protect patients from identity theft and fraud, Oceans Acquisitions is offering affected patients a year of credit monitoring and Identity theft protection services without charge.
Patients may think the breach notice it is better late than never, but questions will be asked by OCR about the breach investigation and why it took 8 months and a totally unrelated systems review to identify the fact that the laptop could have been used to login to an email account containing patient PHI.
All covered entities should be aware of the exact locations where PHI is stored. Following any data breach, HIPAA-covered entities should conduct a full investigation, which should include a comprehensive organization-wide risk assessment. The exposure of PHI should therefore have been identified much sooner.