Here we go…. again.
A notice on the home page of The Neurological Institute of Savannah and Center for Spine in Georgia reads:
PUBLIC NOTICE: THEFT OF PERSONAL INFORMATION
If you were a patient between January 1, 2006 – July, 2, 2011, we want you to know that a computer hard drive was stolen recently that may have contained some of your personal information. Click here to read more on steps we recommend to secure your identity.
Clicking on the link leads to a notice that says:
PUBLIC NOTICE: THEFT OF PERSONAL INFORMATION
On July 2, 2011, patient identifying information was stolen from the car of an employee of Neurological Institute of Savannah & Center for Spine (“NIOS”).
If you were a NIOS patient between January 1, 2006 – July, 2, 2011, the stolen drive may have contained your name, social security number, address, date of birth, telephone number, and billing account data. Credit card numbers and medical record were not on the drive. Although parts of the data were encrypted, password protected and randomly stored, there is a possibility your data could be accessed by an unauthorized individual. We have not received any specific information to indicate your information has been used inappropriately. Police believe the thief was looking for items such as cash, laptops or equipment that the thief could easily sell and the thief likely was not trying to steal data. However, for your protection, you should contact any of the following three credit agencies immediately to place a fraud alert on your credit report:
Equifax: 1-800-525-6285; www.equifax.com; P. O. Box 105069, Atlanta, GA. 30348-5069.
Experian: 1-888-397-3742; www.experian.com; P. O. Box 9532, Allen, TX. 75013.
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P. O. Box 6790, Fullerton, CA 92834-6790.
You should also obtain a copy of a free credit report from www.annualcreditreport.com and examine it closely for signs of fraud – such as a credit account that is not yours. You should check your credit reports periodically and closely monitor your credit card and bank statements. You should generally be alert to any irregularities in your financial data. You should report to police any problems immediately.
We have reported this event to the local police and are working with them to identify the thief. We are attempting to recover the items taken. We have also modified our security procedures to eliminate any loss or potential breach of this nature in the future.
Please know that The Neurological Institute of Savannah & Center for Spine is committed to protecting the confidentiality, security and integrity of your protected health information and sincerely apologizes for the inconvenience this situation may have caused you.
If you have other questions please contact us through our toll free hotline at 1-888-613-3688 or by letter to Neurological Institute of Savannah, Attn: Privacy Officer, P.O. Box 15112 Savannah, Georgia 31416.
According to their notification to HHS, the breach affected 63,425 patients.
So what were 5-year old data doing on a drive in an employee’s car? Even granting that this was likely an opportunistic theft, what was the drive doing in what was presumably an unattended vehicle? Can patients really believe that their providers take confidentiality and security seriously if drives with unencrypted data are being left in cars?