HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Theft of Unencrypted Laptop Results in Exposure of 3,100 Patients’ ePHI

MGA Home Healthcare has notified 3,119 patients that some of their electronic protected health information (ePHI) has been exposed after an unencrypted laptop computer was stolen from the vehicle of an employee.

The theft occurred at some point between August 19 and August 20, 2016 and was discovered on August 20. The incident was reported to law enforcement immediately, while the Department of Health and Human Services’ Office for Civil Rights was notified of the breach on October 19. The delay in notifying patients and OCR was due to the time it took to conduct a thorough review of the exposed data and to determine which patients had been impacted.

The information stored on the laptop includes patients’ names, home addresses, demographic data, and information relating to the medical services provided to patients.  MGA Home Healthcare determined that only 32 patients had their driver’s license or Social Security number exposed.

All affected patients have been offered identity theft protection services for a period of one year in case any exposed data are used inappropriately. However, no reports have been received to suggest any information on the device has been accessed or misused.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

MGA Home Healthcare is now revising its policies and procedures to reduce the risk of further ePHI breaches, although it is unclear whether those measures will include data encryption.

Recent Healthcare Data Breaches Involving the Theft of Unencrypted Devices used to Store ePHI

Earlier this month, The Finley Center in Nevada, a provider of physical therapy, acupuncture, and naturopathic medicine, reported the theft of a desktop computer to the Office for Civil Rights. The computer contained the ePHI of approximately 3,000 patients

The Indiana-based Gibson Insurance Agency, a business associate of HIPAA-covered entities, has similarly experienced the theft of a device used to store ePHI. In this case, the stolen laptop computer contained the ePHI of 7,242 individuals.

In late September, Fred’s Stores of Tennessee Inc., reported the theft of a laptop computer containing information relating to prescriptions. 9,624 individuals were impacted by that incident. Also in September, OCr was notified of a breach of 1,400 individuals’ ePHI following the theft of U.S. HealthWorks laptop.

Since January 1, 2015, 102 incidences of loss or theft of electronic devices used to store ePHI have been reported to the Office for Civil Rights. Those incidents have resulted in the exposure of 1,513,417 healthcare records.

Data encryption on portable devices is one of the most effective methods for preventing ePHI breaches, yet even though device theft remains a major cause of healthcare data breaches, many covered entities have still not elected to encrypt their devices, which is placing ePHI at risk of exposure.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.