Share this article on:
Fred Finch Youth Center has issued data breach notices announcing one of its facilities has suffered a burglary that has potentially exposed the Protected Health Information (PHI) of 6,871 individuals.
Fred Finch operates youth centers in Alameda, Contra Costa, San Mateo, and San Diego Counties. The San Diego County facility was targeted by thieves, who gained access to the property by forcing open a locked window on April 4 or 5, 2015. The staff discovered the burglary on April 6 and realized that “several pieces of computer equipment” had been stolen. Some of that equipment contained information protected under the Health Insurance Portability and Accountability Act.
The information stored on the computer equipment included full names, dates of birth, Social Security numbers and treatment information. An undisclosed number of Medi-Cal numbers were also stored in the records. The breach notice confirms that protections are in place which should keep the information secure; however the data stored on the devices was not encrypted.
The equipment had “technical protections (including complex passwords and advanced electronic storage processes)” according to the breach notice. It also says “there is a chance that a person with sufficient technical skill could defeat the security measures.”
Fred Finch has taken action to mitigate any damage caused and is offering all affected individuals identity theft protection services for a period of 12 months. Instructions on how to take advantage of these services have been provided along with additional actions that can be taken to protect against identify fraud. All affected individuals are in the process of being notified by mail.
HIPAA Regulations and the Breach Response
If PHI is potentially exposed along with personally identifiable information, HIPAA regulations demand that all affected individuals are notified of the breach by mail. A media notice should be posted and the breach reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Covered entities have up to two months (60 days) in order to make the breach report.
Fred Finch announced the breach two full calendar months after the breach occurred. While the notice appears to have been posted within the deadline, HIPAA regulations also state that covered entities should issue breach notices in a timely manner, “without unnecessary delay.”
The breach notice states that Fred Finch “is sharing this information through letters to affected individuals,” indicating that some will likely receive their breach notices later than two months after the incident was discovered, and five months after the incident occurred. It is not clear why Fred Finch delayed issuing the breach notice and notifying the OCR until June 5.
Delayed breach responses suggest unpreparedness for a data breach and leaving breach notices to the last minute invites close scrutiny of compliance efforts by HIPAA regulators. The compliance audits are fast approaching and the OCR has yet to select all organizations for audit. Any organization suffering a data breach should therefore make every effort to ensure that the breach is investigated and reported promptly; if OCR attention is to be avoided.