Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure

Truman Medical Centers, the largest provider of inpatient and outpatient services in Kansas City, MO, has discovered the protected health information of 114,466 patients was stored on an unencrypted laptop computer that was stolen from the vehicle of one of its employees.

The laptop was protected with a password, but it is possible that the password could be cracked and data on the device accessed. At the time of issuing the notifications, Truman Medical Centers has not uncovered any evidence to suggest that any patient information has been accessed by unauthorized individuals or has been misused.

The types of information on the laptop varied from patient to patient and may have included patient names along with one or more of the following types of information: Dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance information, and limited medical and treatment information, such as diagnoses, dates of service, and provider names.

The theft occurred on July 18, 2019, but it took until October 29, 2019 to determine that patient information was stored on the device. All individuals whose protected health information was stored on the laptop have now been notified by mail. Individuals whose Social Security number was stored on the device have been offered complimentary credit monitoring and identity protection services.

Employees have been re-educated on portable device security. Additional controls are being installed on employee laptops to enhance security.

Stolen Blackberry Contained the PHI of 2,477 Patients of La Clínica de La Raza, Inc.

La Clínica de La Raza, Inc, a provider of primary health care and other services in Alameda, Contra Costa, and Solano counties in California, has also discovered a portable electronic device has been stolen.

On August 20, 2019, a briefcase containing a La Clínica de La Raza-issued Blackberry device was stolen from an employee’s vehicle. Assisted by a computer forensics firm, La Clínica de La Raza determined on October 16, 2019 that the Blackberry contained the protected health information of 2,477 patients.

The information was found in two emails that had been downloaded onto the device. Those emails contained names, birth dates, medical record numbers, and non-sensitive test results.

While it is possible that the information could be accessed by unauthorized individuals, La Clínica de La Raza said PHI access would have been difficult. Affected patients were notified of the breach by mail on December 13, 2019. Affected individuals have been offered a one year membership to credit monitoring and identity protection services at no cost.

Steps are now being taken to improve the security of portable electronic devices and employees have had training on portable device security reinforced.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.