Disclaimer: Always consult with your attorney/legal counsel for legal advice.
Does a stolen laptop containing patient health information [PHI] equate to a data breach? In simplest form….yes, if unsecured. No, if encrypted (see HIPAA Final Rule outlined below).
Bloomington based Premier Healthcare, LLC. discovered a stolen laptop from one of its billing offices on January 4, 2016. On January 6th, a police report was completed by the Monroe County Sheriff’s Office. Premier Healthcare stated that the laptop was password-protected, but was not encrypted. There were emails located on the laptop’s hard drive that contained some screenshots, spreadsheets, and pdf documents that were used to address billing issues with patients, insurance companies, and other healthcare providers. Premier further stated that combinations of patient demographic information (i.e. name, date of birth, medical record number, insurance information, and/or some clinical information) for 205,748 individuals were contained in these documents. For 1,769 patients, social security numbers, and/or financial information could potentially be accessed on the laptop.
- December 31, 2015: Date laptop believed to have been stolen from the Billing Department office
- January 4, 2016: Premier Healthcare discovered stolen laptop
- January 6, 2016: Police report filed with Monroe Co Sheriff’s Office
- March 3, 2016: Premier Healthcare statement posted to website
- March 4, 2016: Premier Healthcare notifies HHS regarding a potential data breach (HIPAA Breach Notification Rule)
- March 7, 2016: Stolen Laptop returned via U.S. mail to Premier Healthcare and engages with forensic firm for analysis