StarCare Specialty Health System Reports Potential PHI Breach
The protected health information of 2,844 StarCare Specialty Health System patients has potentially been compromised following the burglary of StarCare/StarQuest offices in Lubbock, Texas on May 30, 2016.
Thieves broke into the offices at 3315 East Broadway and stole five laptop computers. One of those devices contained the ePHI of patients including names, telephone numbers, Social Security numbers, medical record numbers, Medicaid/Medicare numbers, diagnoses, and admission and discharge dates. It is unclear whether the laptop was password protected, although the data were not encrypted.
A box of patient files was also in the office and it is possible that the information contained in some of the files may have been viewed by the burglars, although the paperwork was not removed from the office.
All affected individuals had previously received Behavioral Health program services, Intellectual Developmental Disabilities program services, and/or and Therapeutic Treatment Community services from StarCare.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
While it is not possible to prevent break-ins and theft of equipment, it is possible to implement controls to prevent the exposure of PHI and to limit the damage caused when portable storage devices are stolen.
StarCare Specialty Health System had implemented technology to allow laptop computers to be remotely deactivated in the event of loss or theft. Upon discovery of the theft, StarCare was able to remotely disable the laptop computer to prevent ePHI from being accessed.
The burglary prompted StarCare Specialty Health System to conduct a full review of its security controls and additional protections will be put in place at its offices. The decision has also been taken to use data encryption on all of its computers.
Patients affected by the breach are in the process of being notified and are being offered a year of credit monitoring and identity protection services for a period of one year without charge. Patients will also be protected by an identity theft insurance policy and in the event that identities are stolen, patients will benefit from identity restoration services. At the time of writing, no reports of unauthorized use of ePHI have been reported.