Here are some additional details on the Foundation Recovery Network breach previously reported on this blog:
It seems that two of the three people involved in stealing the employee’s laptop have been arrested. In a letter to the New Hampshire Attorney General’s Office from the law firm of DLA Piper, FRN also explain what type of password had been used on the laptop. Disclosing that information publicly does not strike me as a wise decision because although they do not say so explicitly, it sounds like the laptop wasn’t recovered as of August 8.
In response to the incident, FRN disabled access to their system and changed passwords. Significantly, they note that they have since changed their policies to prohibit devices with PHI from being removed from their secure premises, which addresses one of the questions I had raised in my previous blog post as to whether the employee had violated any policy by having that information on a laptop outside of the office.
What’s not evident from their recent letter is why it took until August 9 to start notifying affected New Hampshire residents when a template of a notification to California residents was submitted to that state on June 24.
Update: The Tennessean adds some interesting details:
During the [notification] process, the company also incorrectly notified patients who were not affected by the situation after a vendor mixed up the names and addresses of several patients.
The company has hired an investigator to try to track down the stolen laptop so it can be determined whether any data was stolen.
So it seems that the laptop has not been recovered.