Sta-Home Health & Hospice in Mississippi reported a potential security breach to HHS this week. Because I could find no media coverage or other information on the incident online, I contacted them for additional information.
According to a spokesperson with whom I spoke today, on the evening of September 15, their offices were burglarized by one or more individuals who cut through a metal fence and smashed in a window. Although the building is alarmed and has surveillance cameras, the cameras did not capture images of the burglars.
One of the items stolen during the burglary was a desktop computer used for processing state medicaid claims. Information on the stolen computer was encoded using propietary software but because the data were not actually encrypted and because the employee using the computer could not recall when she had last emptied the recycling bin, the company decided to err on the side of caution and notify all 1,104 individuals who had ever had PHI on that machine. The company also issued press releases as substitute notice under HITECH provisions, but none of the media outlets had picked up the release. The stolen computer has not been recovered.
Information in the files consisted of encoded names and diagnostic codes. No SSN or financial information were included, nor any Medicaid account numbers.
The incident sounds like it was one of convenience or for the value of the hardware, as other computers in the office that contained PHI were not touched and only the one nearest the window was stolen.
In other words, a small potential breach that is nothing to get particularly excited about, but it does raise one point that covered entities grapple with: if a covered entity uses proprietary software to encode all sensitive data, such encoding may not rise to the level of rendering the data unusable, and then they may not be able to avail themselves of safe harbor provisions that would apply to encrypted data.