Theft of Unencrypted Laptop Results in Exposure of 3,100 Patients’ ePHI

Share this article on:

MGA Home Healthcare has notified 3,119 patients that some of their electronic protected health information (ePHI) has been exposed after an unencrypted laptop computer was stolen from the vehicle of an employee.

The theft occurred at some point between August 19 and August 20, 2016 and was discovered on August 20. The incident was reported to law enforcement immediately, while the Department of Health and Human Services’ Office for Civil Rights was notified of the breach on October 19. The delay in notifying patients and OCR was due to the time it took to conduct a thorough review of the exposed data and to determine which patients had been impacted.

The information stored on the laptop includes patients’ names, home addresses, demographic data, and information relating to the medical services provided to patients.  MGA Home Healthcare determined that only 32 patients had their driver’s license or Social Security number exposed.

All affected patients have been offered identity theft protection services for a period of one year in case any exposed data are used inappropriately. However, no reports have been received to suggest any information on the device has been accessed or misused.

MGA Home Healthcare is now revising its policies and procedures to reduce the risk of further ePHI breaches, although it is unclear whether those measures will include data encryption.

Recent Healthcare Data Breaches Involving the Theft of Unencrypted Devices used to Store ePHI

Earlier this month, The Finley Center in Nevada, a provider of physical therapy, acupuncture, and naturopathic medicine, reported the theft of a desktop computer to the Office for Civil Rights. The computer contained the ePHI of approximately 3,000 patients

The Indiana-based Gibson Insurance Agency, a business associate of HIPAA-covered entities, has similarly experienced the theft of a device used to store ePHI. In this case, the stolen laptop computer contained the ePHI of 7,242 individuals.

In late September, Fred’s Stores of Tennessee Inc., reported the theft of a laptop computer containing information relating to prescriptions. 9,624 individuals were impacted by that incident. Also in September, OCr was notified of a breach of 1,400 individuals’ ePHI following the theft of U.S. HealthWorks laptop.

Since January 1, 2015, 102 incidences of loss or theft of electronic devices used to store ePHI have been reported to the Office for Civil Rights. Those incidents have resulted in the exposure of 1,513,417 healthcare records.

Data encryption on portable devices is one of the most effective methods for preventing ePHI breaches, yet even though device theft remains a major cause of healthcare data breaches, many covered entities have still not elected to encrypt their devices, which is placing ePHI at risk of exposure.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On