HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed

An unencrypted laptop computer issued to an employee of Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has been stolen, exposing the protected health information of certain patients and their payment guarantors.

Prompt action was taken by CPLSE to prevent the laptop from being used to connect to its network and the theft was reported to law enforcement; however, it is possible that the protected health information stored on the laptop could have been viewed by unauthorized individuals.

An internal investigation was conducted to determine the types of information stored on the device which indicated the following PHI elements were potentially exposed: Names, addresses, driver’s license numbers, Social Security numbers, government ID numbers, medical record numbers, and medical treatment information.

Patients have now been notified of the breach and advised of the steps they can take to protect themselves against misuse of their data. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Steps have also been taken to prevent similar incidents from occurring in the future, which include retraining staff on data security, updating appropriate policies and procedures, and using encryption technology on portable electronic devices used to store ePHI.

The laptop was stolen on September 20, 2017 and the substitute breach notice uploaded to the CPLSE website on March 21, 2018. It is unclear why it took 6 months for the incident to be announced. HIPAA requires notifications to be issued within 60 days of the discovery of a breach.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights Breach Portal. The number of individuals affected has not yet been confirmed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.