HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

StarCare Specialty Health System Reports Potential PHI Breach

The protected health information of 2,844 StarCare Specialty Health System patients has potentially been compromised following the burglary of StarCare/StarQuest offices in Lubbock, Texas on May 30, 2016.

Thieves broke into the offices at 3315 East Broadway and stole five laptop computers. One of those devices contained the ePHI of patients including names, telephone numbers, Social Security numbers, medical record numbers, Medicaid/Medicare numbers, diagnoses, and admission and discharge dates. It is unclear whether the laptop was password protected, although the data were not encrypted.

A box of patient files was also in the office and it is possible that the information contained in some of the files may have been viewed by the burglars, although the paperwork was not removed from the office.

All affected individuals had previously received Behavioral Health program services, Intellectual Developmental Disabilities program services, and/or and Therapeutic Treatment Community services from StarCare.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

While it is not possible to prevent break-ins and theft of equipment, it is possible to implement controls to prevent the exposure of PHI and to limit the damage caused when portable storage devices are stolen.

StarCare Specialty Health System had implemented technology to allow laptop computers to be remotely deactivated in the event of loss or theft. Upon discovery of the theft, StarCare was able to remotely disable the laptop computer to prevent ePHI from being accessed.

The burglary prompted StarCare Specialty Health System to conduct a full review of its security controls and additional protections will be put in place at its offices. The decision has also been taken to use data encryption on all of its computers.

Patients affected by the breach are in the process of being notified and are being offered a year of credit monitoring and identity protection services for a period of one year without charge. Patients will also be protected by an identity theft insurance policy and in the event that identities are stolen, patients will benefit from identity restoration services. At the time of writing, no reports of unauthorized use of ePHI have been reported.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.