Stolen Premier Healthcare Laptop Returned: No PHI Accessed Says Pondurance

When a healthcare laptop is stolen it is exceptionally rare for the device to be recovered. However, Premier Healthcare LLC., has reported that the laptop computer stolen from its billing department on December 31, 2015 has now been recovered.

Initially, it was unclear how many patients had been affected by the breach, although an analysis revealed that the laptop computer contained the records of 205,748 individuals. The laptop computer was protected with a password but the data stored on the device were not encrypted. PDF files, spreadsheets, and screenshots containing the protected health information of patients were all potentially accessible.

The laptop computer was last seen in the billing department and was believed to have been stolen on December 31; however, more than two months after the device went missing it arrived in the mail. Premier Healthcare reported the device was received in the mail on or before March 7, 2016.

It would appear that the individual who took the laptop had second thoughts and returned the device anonymously. However, a data breach may still have occurred. To determine whether any data had been accessed Premier Healthcare enlisted the services of an information security firm – Pondurance – to conduct a forensic analysis.

That analysis revealed that not only had the data stored on the device not been accessed, but the laptop appeared not to have even been powered on since it was stolen from the billing department on 180 South Liberty Drive, Bloomington, IN. Premier Healthcare has reported that an internal and police investigation into the disappearance of the laptop is continuing.

In this case it would appear that no patient data has been exposed and therefore there has been no data breach, although affected patients did receive a breach notification letter. The HIPAA Breach Notification Rule required Premier Healthcare to notify patients within 60 days of the discovery of the laptop theft that their data had potentially been exposed. The laptop computer was returned just after that 60-day period had elapsed.

In response to the breach that never was, Premier Healthcare took the decision to encrypt all portable devices used to store PHI, including portable devices only used in secure areas of its facilities.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.