There was yet another unencrypted laptop theft in April, as Indiana University Health Arnett, Inc. told 10,300 affected patients of the health data breach via letter on May 10.
The laptop was in an employee’s car and may have contained patient names, dates of birth, physicians’ names, medical record numbers, diagnoses and dates of service. But Arnett’s press release indicates that Social Security numbers, financial information or patients’ medical records were not included on the device.
Arnett said in a statement that the month-long delay was caused by an investigation of who was included in the breach and the data involved as part of cooperation with the White County Sheriff’s Office. As is the case with most of these types of breaches, Arnett claims that it doesn’t believe any data has been misused or accessed with malicious intent, but the laptop still hasn’t been found.
We apologize for any inconvenience this may cause you. Arnett takes very seriously its obligation to keep the information it maintains secure and we appreciate the trust that you place in us. Arnett is reviewing its policies and procedures to minimize the chance of such an incident occurring in the future. In addition, Arnett has mandatory privacy and security training for all of its workforce members.
While it’s still unclear as to why it took a month for Arnett to tell patients of the breach, once again it would be helpful if the organization explained how exactly it will improve its privacy training practices. Does that involve a PowerPoint (hopefully) not or more extensive, hands-on training that encompasses all types of patient privacy risk? It seems as though the breach could have been avoided by simply encrypting the device so that even when human error is involved, no data is compromised. Answers to questions such as whether staff will know what has and hasn’t been encrypted going forward would give insight to what Arnett is doing to progress training.
Information from PHIPrivacy.net was also included in this report.