- Comprehensive Psychological Services LLC of South Carolina recently reported a data breach in which it alerted 3,500 patients that a laptop with protected health information (PHI) was stolen from the practice’s office on October 28, according to PHIPrivacy.net.
The organization sent PHIPrivacy a copy of the media notice, which provided some detail of the breach. The laptops were password protected, but were not encrypted. According to the statement, there were two sources of PHI on the laptop computer, a scheduling program called “Customer Appointment Manager” and each patient’s treatment records including therapy notes and psychological reports.
The Customer Appointment Manager program contains the individual patients’ name, date of birth, phone number, address, the name of the health insurance company, appointment date, and a brief description of the presenting concern. Importantly, the Customer Appointment Manager did not contain Social Security numbers, financial information (credit cards) or health insurance identification numbers.
…[Patient’s treatment records] include the patient’s name, date of birth, report date, tests utilized, family background information, test results, diagnostic impressions, and recommendations for future services. At the conclusion of the report, there is a list of the billing codes utilized by health insurance payers. Similar to the Customer Appointment Manager, there is no information pertaining to financial information (credit cards) or health insurance identification numbers contained within the treatment records. It is noted that the only evaluations conducted by this office that may have contained social security numbers was for the S.C. Department of Disability Services prior to April 2007. Otherwise, for any other evaluations or therapy sessions prior to April 2007, and all services conducted in this office after April 2007, your social security number was not recorded.
Comprehensive Psychological Services told PHIPrivacy that it was “developing a system that will use a higher standard of security to protect your confidentiality and personal information.” Though there were no details, we can assume that encryption would be part of that system.