The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) is notifying 1,500 individuals that their private information may have been exposed after an employee lost an unencrypted laptop.
The employee has been carrying the laptop in a briefcase which they misplaced on public transport. The laptop was password-protected, but not encrypted, so there is a chance that an individual with sufficient technical skills would be able to extract the protected health information.
The laptop contained information such as names, dates of birth, MCI numbers, service provider names, and Medicaid waiver services that the client had applied for or was receiving.
David T. Jones, Commissioner of the Department of Behavioral Health and Intellectual Disability Services, stated, “Once we learned about the lost laptop within our Intellectual Disability division, we immediately implemented actions to inform anyone who may have been impacted, provided additional training to our workforce and implemented additional controls to prevent this type of incident from occurring in the future.”
All 1,500 affected individuals were notified of the breach the same day that the laptop was lost and have been offered one year of free credit monitoring services.
Forensic investigators were able to confirm that no unauthorised individuals had used the laptop to access patient records.
It is DBHIDS policy for all laptop computers to be encrypted and no explanation has been offered for why this laptop had not been subject to the usual stringent requirements. DBHIDS plans to conduct a review and ensure all laptop computers are encrypted.
DBHIDS has also committed to re-training staff in the basics of HIPAA compliance and offers further training on security-focused topics.
Alicia Taylor, a spokesperson for DBHIDS, wrote in a statement, “DBHIDS is thoroughly investigating causes of this incident and taking appropriate corrective actions, including re-training the employees involved, providing additional privacy/security training to the DBHIDS workforce, and continuing to review practices and implement additional controls to prevent this type of incident from occurring in the future.”
HIPAA does not require devices containing PHI to be encrypted but stipulates that another equivalent security measure should be used in its place. As this laptop was unencrypted but contained PHI, and did not appear to be protected by an equivalent measure, it is yet to be seen if any penalties are to be levied against DBHIDS for the breach.