Unencrypted Laptop Theft Exposes PHI of 9,300 University of Oklahoma Patients

Lightening does strike twice, at least in Oklahoma it would seem, where yet another unencrypted laptop has been stolen from the car of a University of Oklahoma (UO) physician, this time exposing the Protected Health Information (PHI) of 9,300 patients, adding to the 7,693 victims created by the last UO unencrypted laptop theft, reported in July.

If the Department of Health and Human Services’ Office for Civil Rights has not yet investigated the previous breach – suffered by the University of Oklahoma’s College of Medicine’s Department of Obstetrics and Gynecology – this additional laptop theft may well move the investigation up the priority list. This time around, the security breach hints of HIPAA violations.

University of Oklahoma HIPAA Breach?


In the latest case, UO was unaware that the Department of Urology physician in question was storing patient data on the laptop, which was in violation of internal data security policies. The breach notice was issued almost three months after the theft occurred, suggesting a violation of the HIPAA Breach Notification Rule.

UO acted within the 60-day notice period as required by HIPAA Rules, having learned of the theft “on or about August 14, 2015.” The OCR was notified of the incident on October 10, 2015. However, the theft of the laptop actually occurred during the night of July 16, 2015. The physician notified law enforcement immediately upon discovery of the theft; but did not notify the University until almost a month later.

As reported by Databreaches.net, “The University determined on or about September 18 that the former physician and his current employer had not yet notified the University patients whose information may have been on the laptop, so the University is doing so.” Under HIPAA Rules, it is the responsibility of the covered entity to issue breach notification letters to patients, not an individual physician nor any subsequent employer.

Following the previous laptop theft, which occurred on June 12, 2015, UO advised the media/patients it would be “providing additional training to workforce members and revising certain procedures governing the protection of electronic information.” However, it would appear that did not occur in time to prevent a second breach, or that the physician in question ignored any advice given on data security.

The UO breach notice went on to say, “The physician may have had a data base spreadsheet stored on the laptop, which was password-protected but not encrypted.” The spreadsheet that may or may not have been stored on the laptop contained data relating to patients who had visited the University’s urology clinic for pediatric urology procedures between 1996 and 2009. The information stored in the spreadsheet “may” have included patient names, ages, dates of birth, medical record numbers, treating physicians’ names, diagnosis and treatment codes, and the medical procedures performed. While UO could not confirm the data stored in the spreadsheet, it was able to determine that financial information, Social Security numbers and patient addresses were not exposed.

The University of Oklahoma will now be “taking additional steps to help prevent similar incidents from occurring and is providing additional training to employees on the importance of securing patient information.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.