Or….why are health care institutions still leaving laptops containing PHI unencrypted????
The Los Angeles Times (the “Times”) reported this week the theft of two laptops from an administrative office of hospital group AHMC Healthcare Inc. (“AHMC”) in Alhambra, California that compromised the health data of approximately 729,000 individuals. The notice posted by AHMC on the web sites of each of the six hospitals affected by the incident indicated that the laptops were stolen on Saturday, October 12 from a video-monitored, gated, and security-patrolled AHMC office and the theft was reported to the local police as soon as it was discovered on the security camera footage on Monday, October 14. A local television station indicated in a report of the incident that the Alhambra police identified a suspect in the security video footage and are pursuing the individual who may have had ties with someone working in the AHMC building and knew where the laptops were located.
According to the AHMC web site notice and accompanying press release issued by AHMC yesterday, the protected health information (“PHI”) on the stolen laptops included patient names, Medicare/insurance identification numbers, diagnosis/procedure codes, insurance/patient payments of patients treated at the six AHMC hospitals in the Greater San Gabriel Valley Area. While the laptops were password-protected, the press release suggests that they were not encrypted. AHMC spokes-person Gary Hopkins stated in press release that AHMC “had recently engaged a third-party auditing company to perform a security risk assessment and is working through its recommendations, and in that connection will be expediting a policy of encrypting all laptops.” Hopkins also mentioned that AHMC has no indication that any of the compromised PHI has been used as of the date of the press release and encouraged affected individuals to place fraud alerts on their credit file and monitor their credit reports.
This data breach ranks as the 11th largest breach of medical data in the country and the 3rd largest breach of medical data in California to date, when compared to breaches of medical data affecting more than 500 individuals, as reported by the U.S. Department of Health & Human Services.