On June 7, Vitreo-Retinal Medical Group, Inc. (dba Retinal Consultants Medical Group) discovered that a laptop computer which was a component of a diagnostic imaging machine, was stolen sometime after the office closed on June 5. The laptop contained unsecured PHI including patient names, dates of birth, gender, race, and OCT (optical coherence tomography) images.
In a notification to patients dated July 31, Chris Mentink, Privacy Official for RCMG, writes:
As a result of our investigation we are not aware of any unauthorized use of the PHI by an unauthorized individual, or that the PHI was actually acquired or accessed.
They do not explain what kind of investigation they conducted that would have revealed either, however.
In response to the incident, the Sacrament0-based group writes that it is increasing the physical security of imaging and other equipment stored at their offices, increasing the interior and exterior security of their offices, and requiring additional information when confirming a patient’s identity on the phone. They are also in the process of determining how they can further secure laptop data and strengthening other aspects of their internal HIPAA security program.
Although the letter advises patients to obtain their credit reports and be vigilant, they do not offer them any free credit monitoring services. Note that I am not suggesting it’s actually needed for a breach that has no SSN, no insurance numbers, or financial information, but if it’s serious enough that you’re going to advise people to obtain their credit reports, then maybe you should be offering them free credit monitoring.