Exposure of patients’ protected health information may have occurred after an unencrypted laptop computer was stolen from a car belonging to an employee of Bassett Family Practice in Virginia.
The theft of the laptop is thought to have occurred during the weekend of 12/13 August. Patients were warned of the exposure of their private date on October 13, 2017. The delay in issuing notifications was justified as the time needed to recover the missing files from backups and to analyse those files to see which clients had been harmed and the types of PHI help on the device.
The laptop computer in question was found to hold some information about patients’ visits to the Bassett Family Practice, along with their names, date of birth, account number, and their insurance provider’s details. The laptop also kept information related to current account balances. No Social Security details or credit or debit card information were held on the laptop device.
It is not standard company policy or recommended procedure to store any protected health information on laptop devices. The files were moved to the device as Bassett Family Practice was shifting to a new IT system. The practice was also taking steps to encrypt all of its laptop devices.
Data encryption is not obligatory for HIPAA covered bodies to protect stored data, even when PHI is stored on laptop devices that are taken from from healthcare facilities. If the decision is taken not to encrypt data, the decision must be documented a different, equivalent measure must then be used in its stead.
A system has been installed by the Bassett Family Practice that would send a notification if any data access was identified. On this occasion no notification has been received. In the event that the thief does try to download or access sensitive data kept on the device, the practice can remotely wipe the files on the device. The risk of patients’ PHI being accessed and used for ill means is therefore believed to be minimal.
