New West Health Services Data Breach Affected 25,000 Patients

New West Health Services has begun informing 25,000 patients concerning the loss of a password-protected, unencrypted laptop containing wide-ranging Protected Health Information.

Latest West Health Services Data Infringement Affects 25,000 Patients


New West Health Services, a not-for-profit provider of subsidized health policies, including Medicare Supplement and Medicare Advantage plans, has informed the thievery of one of its laptop computers.

New West, performing business as New West Medicare, declared on January 15, 2016, that the laptop computer had the records of roughly 25,000 plan members.

The laptop was password protected however, this is an insufficient protection to avoid PHI from being opened since passwords can be easily cracked. Had the computer been encoded, no patient health information would have been revealed and it wouldn’t have been essential for infringement notices to have been issued.

However, as there’s a probability that the PHI of patients might be accessed as well as used incorrectly, HIPAA needs to issue a breach notice to all affected persons. New West CEO Angela E. Huschka clarified in a declaration that “Out of loads of caution, New West is proactively informing affected members so they can take measures to protect their private information.”

Huge PHI Saved on the Unencrypted Laptop

Name and address only of some customers had been stored on the laptop. Others were not so lucky. In addition to their name and address, some customers had a substantial amount of private data unprotected. This included Medicare claim number, driver’s license number, date of birth, and Social Security number.

The language of the infringement notice suggest just a small amount of data were revealed for each patient, however those data contain extremely confidential information like Medicare premium amounts, prescription information, health condition diagnoses, medical histories, health information, credit card numbers (along with expiry dates and CVV codes), and bank account details.

New Health reported the thievery to law enforcement as well as started an inquiry into the infringement straightaway upon discovery of the thievery. It’s not evident from the data infringement report when the thievery actually happened, and the Office for Civil Rights has not yet listed the data infringement on its infringement portal site.

To tackle the danger of fraud and identity theft, all affected people have been offered identity theft protection and credit monitoring services for one year without a fee. Due to the size of the data that might have been revealed, infringement victims must start those services instantly and must also get a credit report from each one of the credit supervising organizations (TransUnion, Equifax & Experian). They must also examine Explanation of Benefits statements cautiously for any doubtful entries.

New Health has stated that it hasn’t found any proof to suggest that data have been abused incorrectly.

In a press release, Huschka clarified that New Health will be “settling up more security on all company laptops, increasing education for our workers, and reinforcing our data security policies as well as practices.” It’s not clear whether those security steps will include encoding the data saved on mobile devices.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.