Backup with sensitive HIV information stolen — from a car

Posted on by Dissent

Grace Jang of KTVA reports that the HIV status of thousands of Alaskans is likely in the hands of a thief:

Anchorage Police, along with the Alaskan Aids Assistance Association known as the Four A’s, say the sensitive information was taken earlier this month, but because the investigation is still very active, a lot of information is not being made public at this time.

However, both police officials and Four A’s representatives say they’re confident neither the organization, nor the information, were specifically targeted.

“The potential breach could affect around 2,000 individuals statewide, and until the investigation is completed itself, will we be able to determine if anybody at all was affected, to what level and then that will determine how we notify them, when we notify them and what information we share,” said Four A’s Executive Director Trevor Storrs.

Apart from the fact that I find the director’s attitude about notification paternalistic and infuriating, it seems that more information is already available. Ted Land of KTUU reports that the data were stolen from the Executive Director’s car:

Four A’s works with the state to provide HIV testing to the public, as well as financial assistance, counseling, medicine and other services to Alaskans who are living with HIV and AIDS.

Like many non-profits, the group occasionally backs up client information as a safety measure — but it never intended for that data to end up in criminal hands.

Someone broke into the vehicle belonging to Four A’s executive director Trevor Storrs and stole a data storage device containing up to 2,000 clients’ names, contact information and — in some cases — Social Security numbers.

Of course, the fact that they’ve lost control of the data and it’s in the hands of a thief doesn’t necessarily require notification under Alaska law, which has a risk of harm trigger.   If Four A’s is a HIPAA-covered entity, however, they would be required to notify HHS and individuals under HITECH’s notifications requirements.  Their web site does not seem to specifically mention HIPAA, or if it does, I can’t find it.   Land also reports:

The personal data is still missing, but there’s been no evidence of a security breach for any of the stolen names. Four A’s is working with Anchorage police, who have named 29-year-old Sarah Yurman as a suspect in the theft.

Cross-posted from PHIprivacy.net

Category: Breach IncidentsMiscellaneousOf NoteTheftU.S.