St. Anthony’s nursing home suffered a 2,600-patient data breach
on July 29 when a laptop computer and flash drive with protected health information
(PHI) were stolen from a doctor’s car.
According to stltoday.com
, the laptop held patient names, birth dates and potentially medical records, but did not contain Social Security numbers or any financial information. The car theft looked to be inadvertent, according to the ongoing police investigation. The St. Anthony’s doctors’ group is mailing notices to affected patients. The report did not state whether either of the devices were encrypted or even password
North Dakota has altered its state breach notification law to now include medical and health insurance information, according to lexology.com
North Dakota’s changes include HIPAA covered entities, business associates
, or subcontractors exemptions under the condition that they’re compliant with breach notification requirements under title 45, Code of Federal Regulations, subpart D, part 164. These new rules were effective Aug. 1, 2013 and the North Dakota joined California, Texas and Missouri as states that include health information as part of their data breach notification statutes.
North Dakota also added “unauthorized use of . . . an individual’s health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual” to the list of prohibited acts under its identity theft statute, said lexology.com.