Omnicare Inc. of Kentucky recently notified 8,845 patients who had protected health information on a laptop that was stolen on January 19.
The firm, which provides pharmaceutical care for seniors, posted a statement on their web site for those using pharmacies in North Carolina:
On January 19, 2011, a laptop computer was stolen that contained a limited amount of the health information of the residents of certain North Carolina nursing homes and rehabilitation facilities serviced by Omnicare. Specifically, this laptop is used by a Consultant Pharmacist from Omnicare pharmacies who routinely visits these facilities to assist physicians in prescribing appropriate medication therapies.
In addition to limited amounts of health information, the laptop contained residents’ social security numbers, which were stored in a database that requires advanced technological skills and tools to access. No health insurance information was contained on the laptop.
Omnicare immediately reported the incident to the police and it is under investigation. Due to the limited type and amount of personal or health care information that can be easily accessed on the laptop, we believe that the misuse of residents’ personal or health information resulting from this incident is unlikely. To the extent possible, we have notified each of the residents personally, and are providing this notification out of an abundance of caution.
Omnicare is taking this matter very seriously and has conducted a thorough investigation. Please be assured that we continue to take all reasonable steps to mitigate the circumstances resulting from this incident and to protect the residents’ personal and health information from any potential risks in the future. To that end, and despite the fact that we feel this incident represents a low level of identity theft risk, we are offering each affected individual a year of free credit monitoring.
There is no evidence to date that residents’ personal or health information has been misused in any way. Nonetheless, we understand the concern that this situation may cause and want to provide this notification so residents can be vigilant in monitoring their financial accounts and credit reports in order to protect against the possibility of identity theft.
Under U.S. law you are entitled to one free credit report a year from these three national credit bureaus:
[…]
We are sorry for any inconvenience that this might have caused. The privacy and security of our patients’ personal and health information is a top priority at Omnicare and we remain committed to continuing to address this situation with the help of law enforcement officials.
Should you have any questions or need further information regarding this incident, please contact our representative Anita Leonard at 800-949-6337 ext 10622 or via email [email protected].
Metadata for the statement file indicates it was created on March 8, over a month after the theft.
I note that they keep saying “limited,” but they do not indicate the precise types of personal or protected health information involved in the breach other than Social Security numbers. Were patients’ diagnoses on the stolen laptop? How about the names of their medications? It would be nice to know. Nor do they indicate how the laptop was stolen. Was it stolen from the consultant pharmacist’s car or from some other location.
Similarly, it would be nice to know what they mean by requiring “advanced technological skills and tools.”
All in all, this disclosure is not as helpful or informative as it might have been.