Have any questions? Just call us at 1.866.900.4236

Stolen Laptop with Patient Health Information: Data Breach?

Disclaimer: Always consult with your attorney/legal counsel for legal advice.

Does a stolen laptop containing patient health information [PHI] equate to a data breach? In simplest form....yes, if unsecured. No, if encrypted (see HIPAA Final Rule outlined below). Bloomington based Premier Healthcare, LLC. discovered a stolen laptop from one of its billing offices on January 4, 2016. On January 6th, a police report was completed by the Monroe County Sheriff's Office. Premier Healthcare stated that the laptop was password-protected, but was not encrypted. There were emails located on the laptop's hard drive that contained some screenshots, spreadsheets, and pdf documents that were used to address billing issues with patients, insurance companies, and other healthcare providers. Premier further stated that combinations of patient demographic information (i.e. name, date of birth, medical record number, insurance information, and/or some clinical information) for 205,748 individuals were contained in these documents. For 1,769 patients, social security numbers, and/or financial information could potentially be accessed on the laptop.

Quick Timeline

  • December 31, 2015: Date laptop believed to have been stolen from the Billing Department office
  • January 4, 2016: Premier Healthcare discovered stolen laptop
  • January 6, 2016: Police report filed with Monroe Co Sheriff's Office
  • March 3, 2016: Premier Healthcare statement posted to website
  • March 4, 2016: Premier Healthcare notifies HHS regarding a potential data breach (HIPAA Breach Notification Rule)
  • March 7, 2016: Stolen Laptop returned via U.S. mail to Premier Healthcare and engages with forensic firm for analysis
In a March 3rd statement Premier said,
There is no evidence to believe that the information on the laptop was the target of the theft or that any of that information has been accessed or used for fraudulent purposes. Premier took immediate steps to investigate and attempt to recover the laptop. A police report was filed and patients are being notified. Unfortunately, to date neither Premier nor law enforcement has been able to locate the stolen laptop or identify the perpetrator.

According to several media sources, the laptop was returned to Premier Healthcare via U.S. mail. Premier Healthcare then engaged with a forensic consulting firm (similar to your Kemper Forensic Team) to perform forensic analysis of the laptop to determine if a data breach occurred. According to these reports, the forensic examination concluded that the laptop was not accessed and that the laptop had not been used since stolen from the billing office on December 31, 2015. Based upon what has been publicly released, we do not know the laptop specs (i.e. Make, Model, Operating System, Hard Drive {HDD vs SSD}). The publicly available information indicates that this machine was an unencrypted, password-protected laptop that likely contained demographic and clinical information of over 200,000 individuals. This blog post isn't intended to do a deep dive technical analysis, but while the forensic analysis concluded the laptop had not been accessed since being stolen on Dec. 31st it is possible that the unencrypted hard drive could've been removed from the laptop and the data acquired by imaging the hard drive. As mentioned earlier, we do not know the laptop or the hard drive technical specifications. Depending on the operating system (e.g. Windows 7), there would be many digital artifacts present to support the conclusion with high probability (e.g. More than likely the laptop was not accessed), but doesn't eliminate the possibility the hard drive was removed, imaged, and put back inside the laptop. During the forensic examination, the examiner more than likely considered this as a possibility during his/her examination to guide the forensic analysis (Tech note: consider S.M.A.R.T.).

But the question still remains...why was the laptop stolen from Premier Healthcare, returned via U.S. mail "unharmed", and no forensic evidence to show the laptop was accessed? Did the suspect(s) have a change of heart? How did the suspect(s) benefit from this theft? Why was it returned just a few days after Premier notified HHS? Many questions remain...

For information related to this crime and incident, contact Monroe County Sheriff's Office and/or Premier Healthcare at 877-509-8356 or HIPAA@premierhealthcare.org

The importance of encryption

Under HHS and NIST standards, breach notification only applies to unsecured ePHI. Therefore, under these standards stolen, encrypted data does not invoke Breach Notification requirements. The current encryption standard referenced in the Final Rule is: "Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals."

What can I do?
If you are a CE (Covered Entity) under HIPAA {i.e. you have Patient Health Information [PHI]} revisit and review your HIPAA polices and procedures. When is the last time you have had a HIPAA Security Risk Analysis completed? If you have not had a security risk analysis completed contact us. We will work with you to help you maneuver HIPAA. We have years of public (law enforcement) and private sector experience in investigating computer related crimes and security incidents. If you believe you have suffered potential data breach call us promptly 812-421-8000 or via email info-at-kemperforensics-d0t-com

Sources:

Share:

No Comments Yet.

Leave a Reply