Valley Hope Association Notifies Patients of Unencrypted Laptop Theft
Valley Hope Association, a Kansas-based provider of drug and alcohol treatment services, has started notifying patients about the theft of an unencrypted laptop computer which resulted in the exposure of patients’ protected health information. The laptop computer was stolen from an employee’s vehicle on December 30, 2015.
The highly sensitive data stored on the laptop include full names of patients along with some of the following data elements: Home addresses, phone numbers, Social Security numbers, driver’s license numbers, health insurance information, financial information, state identification numbers, medical record numbers, patient record numbers, disability codes, details of medication, clinical data, medical diagnoses, treatment location, types of treatment received, referring physician names, and usernames and passwords.
The device was being used to store the protected health information of patients, but those data were not encrypted. The laptop was protected with a password, so there is a possibility that the data have not been viewed.
However, since passwords can be cracked there is a chance that patient data has been accessed. Due to the sensitive nature of data stored on the device, Valley Hope Association has offered all affected patients complimentary credit monitoring and restoration services for a period of one year without charge.
Following the discovery of the theft Valley Hope Association initiated an investigation to determine the exact nature of data stored on the device. A third party computer forensics firm was hired to assist with the task. Login details were changed to prevent the laptop computer from being used to connect to the Valley Hope Association systems, although the data stored on the device could not be deleted remotely.
The theft was reported to law enforcement on the same day and investigations are continuing, although no suspects have been apprehended and the laptop computer has not been recovered. The incident was reported to Office for Civil Rights on February 26, 2016. The breach report indicates that 52,076 patients were affected by the data breach, making this one of the largest healthcare data breaches reported so far in 2016.