Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has revealed that an unencrypted laptop computer issued to a member of staff has been stolen, exposing the protected health information of a number of patients and their payment guarantors.
CPLSE quickly activated safety actions to prevent the laptop from being used to gain access to its network and the theft was made known to law enforcement; however, it is possible that the protected health information held on the laptop device could have been viewed by unauthorized persons.
An internal inquiry was used to determine the types of information stored on the device which showed PHI elements were possibly exposed including: Names, address details, driver’s licenses, Social Security numbers, government Identification numbers, medical record numbers and medical treatment data.
Possibly affected patients have now been made aware of the violation and told of the steps they can take to secure themselves against misuse of their data. Free of charge credit monitoring and identity theft protection services have been provided to affected persons.
Measures have also been employed taken to ensure similar incidents are not experienced in the future, which include additional training for staff regarding data security, updating relevant policies and processes, and using encryption technology on portable electronic devices used to house ePHI.
The laptop was taken on September 20, 2017 and the substitute breach notice made public on the CPLSE website on March 21, 2018. It has not been stated why it took six months for the incident to be made public. HIPAA states that notifications must be sent within 60 days of the identification of a breach.
The incident has yet to be made public on the Department of Health and Human Services’ Office for Civil Rights (OCR) Breach Portal. The number of persons imapcted by the breach has not yet been ascertained.