Oregon CO-OP Suffers Laptop Theft and Breach Notification Snafu

The Oregon CO-OP, a not-for-profit start-up health insurer, has reported the theft of a laptop containing unencrypted data. The laptop did not contain any health information, although names and addresses of current and former members were stored on the device along with Social Security numbers, health plan details, ID numbers, dates of birth and the names of dependents.

The “security incident” was immediately reported to law enforcement officers and the theft is now being investigated. The incident occurred on April 3, although the laptop computer has not yet been recovered. While the device did not have data encryption software installed, it was protected with a password. This, in itself, is not sufficient protection for data of this nature, as passwords can easily be cracked but it does decrease the likelihood of the data being accessed or used to commit fraud. The CO-OP has no reason to believe that this was the case, or that any members’ information was accessed by the perpetrators of the crime.

Breach Notification Snafu Delays Letters

All affected individuals are being sent breach notification letters; although the healthcare insurer has experienced a few problems with the mailing. The Oregonian reported that a number of individuals have had their letters sent to incorrect addresses. According to the OCR breach report, 14,000 individuals have been affected.

Lester and Nora Brock received five separate breach notification letters to their Sherwood home, although none were addressed to them personally and each had a separate name of someone not known to them. Whether this was due to a database or mailing error is not certain at this time. Ralph Prows, Oregon’s Health CO-OP CO referred to the breach notification letter error as an “unfortunate additional snafu.”

He recommends all affected individuals – when they finally receive their breach notifications – to sign up for the credit monitoring services that are being offered to patients free of charge. He pointed out that CO-OP employees are all members of the insurance plan so their data has also been compromised in the incident. “We’re all as concerned as we could be about this. I actually think it’s a low risk issue, but not a zero-risk issue. So I want people to take steps to protect themselves,” he said.

Oregon CO-OP – via IDExperts – has set up and informational website for victims of the breach to sign up for credit monitoring services to protect against identity theft and fraudulent claims.

Healthcare Providers and Insurers Hit by Major HIPAA Breaches

The past two months have been particularly bad for the healthcare industry, with numerous major data breaches reported. The hacking incident at Premera Blue Cross exposed 11,000,000 records, the Anthem data breach resulted in 78.8 million records being obtained by criminals and 151,000 records were stolen from Advantage Consolidated.

The loss of unencrypted devices continues to be a problem for HIPAA-covered entities. The University of Illinois at Chicago reported a laptop theft which exposed 3,000 records earlier this week, in early March the Indiana State Medical Association reported the theft of an unencrypted device containing 38,351 records and Valley Community Healthcare, the San Francisco General Hospital and Trauma Center, Kane Hall Barry Neurology and Raymond Mark Turner, M.D all reported data breaches as a result of the loss or theft of unencrypted devices.

Post updated 06/05/2015

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.