A not encrypted laptop has been thieved from the car of an employee of Bassett Family Practice in VA, possibly guiding to the revelation of patients’ PHI.
The thievery is believed to have happened during the weekend of 12/13 August. Patients were alerted to the revelation of their files on October 13, 2017. The postponement in delivering notices was because of the time taken to regain the missing records from backups as well as to analyze those records to decide which patients had been impacted and the kinds of PHI saved on the laptop.
The laptop was found to have some information concerning patients’ calls to the practice, together with their names, account number, date of birth, and their insurance provider’s name. The laptop also had information linked to account balances. No credit or debit card information or Social Security numbers were saved on the device.
It’s not company’s routine to save any PHI on laptops. The records were shifted to the device when Bassett Family Practice was shifting to a fresh IT system. The practice was also in the procedure of encrypting all of its laptops.
HIPAA doesn’t require that files encryption is utilized to defend saved files, even when PHI is saved on movable devices that are separated from healthcare services. Data encryption should be tackled, and if the decision is taken not to encrypt files, the decision should be recorded. An alternative, an equivalent measure should then be utilized in lieu of encryption.
Bassett Family Practice had fitted a system that would deliver a notice if any information access happened, and no notice has been received. In the case that the robber attempts to access confidential data saved on the device, the practice can distantly clean the device. The danger of patients’ PHI being accessed as well as abused is therefore thought to be low.