Pathology Lab Patients’ PHI Disclosed After Theft of Unencrypted Laptop

March 28, 2018


A Clinical Pathology Laboratories Southeast, Inc., (CPLSE) worker’s unencrypted work laptop computer has been stolen, disclosing the protected health information of targeted patients as well as their payment underwriters.

Quick action was taken by CPLSE to stop the laptop from being used to link to its network and the theft was made known to law enforcement organizations; nevertheless, it might be the case that the protected health information saved on the laptop might have been seen by illegal people.

An internal analysis was carried out in order to make a decision on the kinds of data stored on the appliance which demonstrated that the following protected health information elements were possibly disclosed: Names, medical record numbers, government ID information, Social Security numbers, driver’s license details, addresses, and medical treatment history.

Patients have now been warned of the breach as well as instructed of the steps they can take in order to protect themselves against wrong use of their data. Free credit checking, as well as identity theft protection facilities, have been provided to impacted people.

Measures have also been used to prevent similar occurrences from happening in the time to come, which include retraining staff on data safety, updating required procedures and policies, and using encryption technology on moveable electronic appliances used to save ePHI.

The laptop was taken on September 20, 2017, and the substitute breach notification published on the CPLSE website on March 21, 2018. It is not clear why it took six months for the occurrence to be informed. HIPAA rules state that notifications must be issued within 60 days of the detection of a breach.

The occurrence has yet to be published in the Division of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal. The number of people impacted has not yet been specified.