Share this article on:
An unencrypted laptop computer issued to an employee of Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has been stolen, exposing the protected health information of certain patients and their payment guarantors.
Prompt action was taken by CPLSE to prevent the laptop from being used to connect to its network and the theft was reported to law enforcement; however, it is possible that the protected health information stored on the laptop could have been viewed by unauthorized individuals.
An internal investigation was conducted to determine the types of information stored on the device which indicated the following PHI elements were potentially exposed: Names, addresses, driver’s license numbers, Social Security numbers, government ID numbers, medical record numbers, and medical treatment information.
Patients have now been notified of the breach and advised of the steps they can take to protect themselves against misuse of their data. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.
Steps have also been taken to prevent similar incidents from occurring in the future, which include retraining staff on data security, updating appropriate policies and procedures, and using encryption technology on portable electronic devices used to store ePHI.
The laptop was stolen on September 20, 2017 and the substitute breach notice uploaded to the CPLSE website on March 21, 2018. It is unclear why it took 6 months for the incident to be announced. HIPAA requires notifications to be issued within 60 days of the discovery of a breach.
The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights Breach Portal. The number of individuals affected has not yet been confirmed.