Self Regional Healthcare Announces HIPAA Data Breach

Self Regional Healthcare (SRH), a healthcare provider based in South Carolina, has announced that a laptop computer was stolen from one of its facilities on May 25, 2014. That laptop contained unencrypted Protected Health Information of nearly 40,000 of its patients.

The data included highly sensitive information which could potentially be used by criminals to commit identity fraud, insurance fraud, credit card fraud and enable them to make false Medicaid/Medicare claims. Social Security numbers; drivers license numbers; financial account numbers; physician names; payment card information; insurance policy details; diagnosis and procedure information and patient names – possibly addresses – were stored on the laptop.

SRH learned of the break-in and theft on May 27, 2014. Law enforcement officers were alerted and were able to apprehend two individuals believed to have illegally entered the property. One person admitted to stealing the laptop, but according to the report “he destroyed it and disposed of it in a lake,” after an attack of remorse. He also claimed not to have accessed the contents of the laptop – which were password protected. Law enforcement divers were unable to locate the device.

As a result of the breach, SRH is offering all affected individuals one year of credit monitoring services free of charge. Breach notification letters have now been sent to all patients affected by the breach.

According to the breach reporting portal of the HHS’ Office for Civil Rights, the laptop computer contained 38,906 patient records. This makes this incident similar in scale to the Union Labor Life Insurance Company data breach reported in June. That data breach was also due to a stolen laptop computer containing unencrypted PHI.

In June, there were six breaches of PHI affecting more than 500 individuals caused by the theft of laptops and desktop computers. In May of this year, Sutherland Healthcare Solutions announced a data breach that created 342,197 victims.

Data encryption is not mandatory under HIPAA regulations, but healthcare organizations should consider the cost implications of not using this protection. The SRH incident would not have required the company to send out almost 39,000 notification letters by first class post and pay for credit monitoring services for its patients not to mention the cost from any fallout from customers unhappy that their data was exposed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.