Unencrypted Laptop Stolen from Rocky Mountain Health Care Services Compromised Patients’ PHI


Another unencrypted laptop got stolen from an employee of Rocky Mountain Health Care Services of Colorado Springs. This is the second time that a similar incident happened in three months. The second theft, which was discovered on September 28, has been reported to law enforcement. The 909 patients whose protected health information has been compromised were already notified by mail.

According to the investigation, the laptop computer contained only a limited number of patients’ protected health information. The PHI included the names of patients, addresses, birth dates, health insurance details, Medicare numbers and some treatment information.

Rocky Mountain Health Care Services also manages other HIPAA-covered entities such as BrainCare, Rocky Mountain PACE, Rocky Mountain Options for Long Term Care and HealthRide. The first incident that a mobile phone and laptop computer of a former employee was stolen occurred on June 18, 2017. The devices contained patients’ names, addresses, birth dates, some treatment information and health insurance information.

Only one of the two mentioned incidents above has been published on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is not clear which one was published, whether the first or second. The OCR breach portal shows that one major cause of healthcare data breaches is the loss or theft of unencrypted portable electronic devices. In fact, for 2017 alone, 31 breaches have been reported by business associates and covered entities that involved unencrypted laptop computers and portable devices theft.

As a preventive measure to the breaches, Rocky Mountain Health Care Services reviewed its policies and procedures and is thinking of incorporating security management technologies on mobile devices and data encryption of portable electronic devices.