- California-based psychiatrist Robert E. Soper, M.D. recently notified patients of a health data breach after his car was broken into and a desktop computer containing patient PHI was stolen from the trunk of the car. Other pieces of equipment, as well as a camera and suitcases were also taken from the vehicle.
The incident happened on June 27, according to a copy of the data breach notification letter posted to the California Office of the Attorney General website. The computer contained patient names, dates of birth, some phone numbers, clinical notes, and emails. Soper added that addresses, Social Security numbers, and insurance information were not stored on the device.
“Fortunately, the clinical notes were protected by two passwords, and were maintained in a format unique to the software used to prepare them,” Soper explained in the letter. “The software program itself was not on the computer, making the data almost impossible to decipher.”
While the email information was password protected, according to Soper, that data did “generally contain” laboratory reports, some reports from outside healthcare providers, and patient emails sent to his office.
The desktop computer was going to be given to Soper’s brother, according to the letter. However, Soper did not explain if the patient PHI would have been wiped from the device before or after it was handed over to a new owner.
Soper added that he immediately reported the theft to local authorities and also disconnected the computer from any access to his organization’s data on the internet and office. It is unlikely that any of the information will be misused, Soper said, but he still urged affected individuals to monitor their bank and credit accounts and to report any suspicious activity.
“Additional steps” will be taken at the office to better protect patient data, according to Soper, who also apologized for the incident.
“The good news is that if the computer goes on line, Apple Computer will identify the computer, erase this disk, put up a message that the computer is stolen, and notify me,” Soper said. “That service is very beneficial if anyone connects that computer to the internet. So far, I have heard nothing.”
The health data breach notification letter did not specify how many individuals were potentially affected, and as of publication, there was not a notification on the Department of Health and Human Services (HHS) site. As previously discussed on HealthITSecurity.com, the HHS requires that health data breaches affecting more than 500 individuals be reported to the department.
Unfortunately, having patient PHI stolen from a healthcare provider’s vehicle is not a unique event. Earlier this year HealthITSecurity.com reported on the Indiana State Medical Association (ISMA) data breach where a laptop computer and two external hard drives were stolen from an ISMA information technology administrator’s car. Approximately 39,000 patients were affected, and stolen information included Social Security numbers and medical histories.
A similar incident also took place in Oregon toward the end of 2014. In that case, a personal laptop containing patient PHI was stolen from a Corvallis Clinic employee’s car while they were attending a work-related conference.
“This was a breach of Clinic policy in that patient health information was reported to have been maintained on the employee’s personal laptop that had not been evaluated or cleared for use by The Clinic’s IT security officer,” according to a Corvallis Clinic statement.