Closing a private practice is not the end of our data security concerns, as a breach earlier this year reminds us.
In January, attorneys for Lee D. Pollan, DMD, PC notified the NYS Division of Consumer Protection that PHI of 13,806 former patients was on a missing laptop. The laptop reportedly went missing from the oral surgeon’s office in North Chili, New York sometime after November 6, 2012 and was discovered missing on November 15, 2012. Dr. Pollan had closed his private practice in December 2011, but still needed to access the patient data at times, which is why the laptop was in his current office.
On January 11, Dr. Pollan notified those affected that the laptop was probably stolen from his office, and their names, addresses, dates of birth, Social Security numbers, diagnosis code, surgical billing codes, and person responsible bills were on it. The laptop was password protected, but the files were not encrypted. As he explained, Dr. Pollan thought the laptop would be secure in his current office. Although the laptop was stolen, the patients’ data had been backed upOr, and Dr. Pollan indicated that he was (now) encrypting the backup drive.
In compliance with HITECH requirements, a substitute notice was also published in the local media at the time.
The patients were not offered any identity theft prevention services.
This incident does not appear on HHS’s breach tool, but that does not necessarily mean that the breach was not reported to them. Unfortunately, the doctor’s law firm, Harter Secrest & Emery LLP, did not respond to an inquiry I sent them about whether the breach had been reported to HHS. If they do respond, I will update this post. (UPDATE: the breach was reported to HHS, as per their attorneys).
Information for this blog entry is based on the filing with NYS, which I obtained as part of my research for DataLossDB.org under a freedom of information request. I have a slew of reports to wade through, and may find other healthcare breaches that were previously unknown to us. All of the data will eventually be added to DataLossDB.org’s database.
Update: as subsequently reported on this blog, this incident was reported to HHS as affecting 19,178. On May 28, 2014, HHS posted an update to their breach tool:
As a result of OCR’s investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices.”