At some point, something has to give – either healthcare employees will encrypt their mobile devices or stop leaving them in their cars. Until then, even if they’re inadvertent, data breaches will continue to occur in this manner. Heyman HospiceCare, Ga., experienced a familiar plot on Jan. 4 when an employee left a non-encrypted laptop in their car that contained patient names, addresses, phone numbers, birth dates, Social Security numbers and insurance policy numbers and the device was stolen
Potentially-affected patients’ time of treatment may range from July 1, 2006, and Jan. 3, 2013, but the report doesn’t detail how many patients were impacted. Heyman says financial information was not on the laptop and the medical information was not lost. While the device was password protected and officials told Romenews-tribune.com that it was protected by additional security software and it would prove to be difficult for the average person to access. Heyman offered the boilerplate statement that it plans on heavily enforcing mobile device encryption going forward. And in the patient privacy notice on the Heyman Hospice website, the organization offered credit monitoring to the patients involved in the breach:
Heyman HospiceCare has no reason to believe that the laptop was taken for the information it contained, or that the information has been accessed or used improperly. In an abundance of caution, Heyman HospiceCare began mailing letters to affected individuals on February 15, 2013. Heyman HospiceCare is also providing a dedicated call center to answer questions for affected patients. Heyman HospiceCare is also offering eligible individuals a free one-year membership in three-bureau credit monitoring service provided by TransUnion, one of the three major nationwide credit reporting companies.
As is often the case, there’s a dearth of information in this breach report, such as what role the employee served and why all that data was on the laptop. The breach comes in wake of Hospice of North Idaho (HONI) agreeing to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the HIPAA Security Rule in late December. These two recent hospice breaches prove that it’s not just big hospitals that suffer from data theft and that all types of healthcare organizations need to be vigilant with data encryption.