Pathways Professional Counseling Reports Theft of Laptop Containing SSNs

A breach of social security numbers, health insurance information, medical data, and personally identifiable information has been announced by Pathways Professional Counseling after a laptop computer was stolen from the vehicle of an employee. The laptop computer was password protected, but was not encrypted.

The device contained highly sensitive information that could potentially be used by criminals to commit identity theft and fraud. Other data stored on the laptop included patient names, dates of birth, addresses, email addresses, phone numbers, demographic data, clinical information, financial information, referring physician names, and medical diagnoses of patients.

The theft occurred on September 24, 2015, and was discovered the following day. The incident was immediately reported to law enforcement and to Pathways Professional Counseling, and an investigation into the data breach was immediately launched.

Pathways Professional Counseling was able to determine that the laptop had not been used to gain access the organization’s network. Network access was blocked by changing the employee’s login credentials. The network was therefore protected, but data stored on the device could potentially be accessed. Consequently, patients affected by the data breach do face an elevated risk of suffering identity theft and fraud.

An external computer forensics company was employed to investigate the extent of the data breach and determine which patients have been affected. Investigations into the breach are continuing, although no evidence has yet been uncovered to suggest data stored on the laptop have been accessed or used inappropriately. Breach notification letters were dispatched on November 24, 2015, and all affected patients are being offered credit monitoring and credit restoration services for a period of one year without charge to mitigate risk.

The Department of Health and Human Services’ Office for Civil Rights has been informed of the data breach. The incident has yet to appear on the OCR data breach portal, so it is unclear how many individuals have been affected.

Passwords Only Offer a Degree of Protection

The laptop computer was password protected, but passwords can be cracked. To avoid the exposure of Protected Health Information (PHI), covered entities must encrypt stored data. If devices used to store PHI are permitted to be removed from the premises of a HIPAA-covered entity, data encryption is strongly advisable.

So far this year, HIPAA-covered entities have reported 41 security incidents involving the theft of laptop computers and other portable storage devices. Up until the announcement of this data breach, 520,211 individuals have had their PHI exposed as a result of portable device/laptop theft. Had data encryption been employed, those data breaches could potentially have been avoided.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.