HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Stolen Union Labor Life Laptop Exposes 46,771 HIPAA Records

The failure to encrypt data on mobile devices has resulted in the Union Labor Life Insurance Co. (ULLICO) having to send out 46,771 breach notification letters to its members informing them that thieves have managed to obtain their Protected Health Information. The data compromised in the latest breach includes Social Security numbers, names, addresses and a limited amount of healthcare data.

ULLICO has confirmed that the data compromised in the incident corresponds only to Union Labor Life. None of its affiliates – ULLICO Casualty Group, Inc., ULLICO Investment Advisors, Inc and ULLICO Investment Company – were affected.

The insurer discovered that one of its laptop computers had been stolen from its offices in Silver Spring, MD on February 18, with the theft understood to have occurred the day before. The theft was reported to Montgomery County Police, although to date the laptop has not been recovered.

The laptop contained data on participants, dependents and insurance applicants that had purchased – or applied to purchase – group life insurance or medical stop loss policies between January 2012 and February 2014.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In response to the theft, the insurer has offered all affected individuals a year of free credit monitoring services – through AllClear ID – to allow them check to see if the thieves are using their information to obtain medical services, and to prevent them from becoming victims of identity fraud.

ULLICO has also advised members that they will be able to activate AllClear ID’s tri-bureau credit monitoring service and benefit from a $1 million identity theft insurance policy; should their data be used to commit medical or identity fraud.

In order to protect children, the company is offering the AllClear ID ChildScan service. This service involves a thorough search of public databases – numbering in the thousands – to determine whether the thieves have committed credit, criminal, medical or employment fraud. While the services are being offered, they are not provided automatically.

Any person wishing to take advantage of the service must respond to the breach notification letter in order to activate the services. The duration of credit monitoring will be 12 months starting from the data of the notification letter, not the date it is received or the date of activation of the credit monitoring services.

The company has also created a page on its website detailing the breach and providing information for members who are concerned about what the data theft means. Via this website, plan members are provided with the police report number – case number 14008057 – as this is sometimes required before a freeze can be put on credit files.

There is no mention in the breach notification letters – or on the company website – that ULLICO will be encrypting data on its mobile devices in future to prevent further equipment thefts from exposing customer data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.