Desktop Stolen from Healthcare Office Results in Breach of PHI

The Brevard Physician Associates has announced that they have experienced a breach of protected health information (PHI). They state that the breach occurred due to a desktop computer being stolen in a burglary at one of their sites. They have identified nearly 8,000 affected patients.

The incident occurred on Labor Day, 2017. As the offices were closed, the thieves broke into the site early in the morning. The office’s alarm system was triggered, and police responded to the incident. However, the criminals escaped with three desktop computers. A forensic analysis of the office was performed, although to date the individuals responsible have not been apprehended. As such, the computers, and therefore the PHI, have not been recovered.

Two of the computers did not contain any protected health information, but the third computer had five audit files saved to the hard drive. The information in those audit files was limited to names, names of insurance providers, CPT codes for the services provided, and the amounts charged for services. This information was sufficient to warrant the issuing of breach notifications to patients.

Brevard Physician Associates acted quickly and dispatched breach notification letters to affected patients, in accordance with HIPAA’s Breach Notification Rule. In total, 7,976 patients were identified as having been impacted by the crime.

The HIPAA Security Rule does not demand the use of encryption, although if the decision is taken not to encrypt data, an alternative, equivalent control must be employed to safeguard the confidentiality, integrity, and availability of PHI. While the computers were not encrypted, they were protected with passwords. The healthcare organisation states that strong passwords had been used to prevent unauthorised access to the data. Brevard Physician Associates also reports that the devices can be remotely wiped of all data, and that safeguard has been triggered. If the devices are connected to the Internet, data will be remotely wiped.

Brevard Physician Associates believes that the affected patients are not at risk of identity theft and fraud because of the incident. Even though addresses, dates of birth, telephone numbers, Social Security numbers, financial information and insurance ID numbers were not exposed and could not be accessed by the thieves, the decision has been taken to offer all affected patients 12 months of complimentary credit monitoring services as compensation for the incident having occurred.

Brevard Physician Associates’ response was in total compliance with HIPAA, and it was particularly commendable for its rapid breach response, prompt issuing of notifications, and for the steps taken to mitigate risk.