HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sunglo Home Health Services Suffers HIPAA Breach

A laptop computer containing Social Security numbers and Protected Health Information was stolen from the facilities of Sunglo Home Health Services on January, 26, 2015. While the number of affected individuals was not announced, it was confirmed that personal identifiers and PHI were stored on the laptop making this a HIPAA breach.

According to an Action 4 News report the day after the break in, a potential suspect has been arrested. KRGV News reported that the suspect broke into a van that was parked in the Sunglo car park, but instead of driving away he returned and broke into Sunglo’s facilities using a fire extinguisher to smash a window. He then took the laptop computer and made his getaway.

The following day the van was recovered and the suspect, Matthew de la Cruz, was apprehended after being caught on CCTV cameras driving the van; however none of the items taken in the break in, including the laptop computer, have been recovered by law enforcement officers. Matthew de la Cruz is currently in jail.

Since no equipment has been recovered it is possible that the laptop could have been sold so there is a risk to patients that their information could be used by criminals to commit fraud. The individuals affected are spread around the county. According to KRGV, they come “from Rio Grande City all the way to Brownsville – including Raymondville as well.” Given the nature of the services provided by Sunglo home health services, many of the healthcare provider’s patients are elderly or disabled and therefore are particularly vulnerable making them especially at risk.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In this case the laptop computer had not been taken out of the building or left in a vehicle, so the perceived risk of a HIPAA breach may have been considered to be low by the healthcare provider. However, this incident does serve as a reminder to all HIPAA-covered entities that break ins can all too easily occur, and any portable equipment of value that can be easily sold on is likely to taken by thieves. Any theft of equipment containing unencrypted PHI is an automatic HIPAA breach.

Healthcare data, especially combined with Social Security numbers, can be used to commit medical and insurance fraud, while identities can be stolen and huge bills can be run up by the thieves. The data stored on laptops and other electronic devices is of much greater value than that of the hardware itself and is highly attractive to thieves. Healthcare providers and other holders of PHI must therefore implement robust controls to protect that data and ensure that unauthorized individuals are prevented from viewing private and confidential healthcare data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.