KFYR-TV in North Dakota reports:
Patient information may have been stolen during a vehicle break-in last month, and Medcenter One is notifying the 650 potential victims by mail. Other items were also stolen.
A Medcenter One laptop and bag containing forms for processing hearing aid patients were taken. The papers have been recovered. But the laptop, although password protected, contains limited personal information.
[…]
Today, Medcenter One posted a notice and FAQ on their site:
Medcenter One is notifying a select group of hearing aid patients by mail that during a vehicle break-in the weekend of Oct. 21, 2011, in Bismarck, patient information was stolen. This information was part of a larger theft including equipment and valuable personal property including hunting equipment. The police were immediately contacted, and one bag of items has since been recovered.
Along with hearing aid parts and equipment, a Medcenter One laptop and a bag containing 11 internal paper forms to process hearing aid patient charges were taken. That bag was recovered days later. Its contents appear to be undisturbed.
The recovered 11 paper charge forms contained identifying information including name, date of birth, address, phone number, insurance company and policy number and Medicare number, along with the patient’s hearing diagnosis.
The stolen laptop, although password protected, contained limited personal information for 650 hearing aid patients. The software on the laptop containing patient data also was password protected. The information residing within that program did not include Social Security numbers or any financial information. The identifying information is limited to first and last names of patients, along with dates of birth and hearing tests.
Although it is unlikely that obtaining patient health information was the reason for this theft, Medcenter One is proactively working with Experian, one of the world’s largest credit reporting agencies, and its ProtectMyID Alert program, to provide free credit monitoring to potentially impacted individuals who would like further identity theft follow-up regarding their personal information.
Medcenter One is making staff available to answer patient questions 7 a.m.–7 p.m. weekdays, Nov. 17–23. For general questions or more information about the ProtectMyID Alert program, impacted patients may call 701.323.2871 or toll-free 855.205.5786, or email hipaa@mohs.org. The hotline will not be staffed on Thursday, Nov. 24, in observance of the Thanksgiving holiday. Following that date, staff will be available to answer questions 8 a.m.–5 p.m. weekdays. Patients are asked to leave a message if someone is not immediately available.
Medcenter One is reviewing its policies and procedures, reinforcing existing security practices and will consider implementation of additional measures to reduce the likelihood of such an incident occurring again. Protecting patient information is a priority at Medcenter One, and we deeply regret any concern this incident might cause.
FAQs
Q: When did the incident occur and what was stolen?
A: The weekend of Oct. 21, 2011, a Medcenter One laptop computer and a bag containing 11 internal paper forms to process patient charges were taken along with valuable personal items including hunting equipment, and hearing aid parts and equipment.
Q: What information was involved in the incident?
A: Eleven internal paper forms to process patient charges were taken. The following information was listed on these forms: name, date of birth, address, phone number, insurance company and policy number, Medicare number, along with the patient’s hearing diagnosis. That bag and its contents were recovered days later and appear to be undisturbed. The stolen laptop contained the names and dates of birth for 650 hearing aid patients. The stored information did not include Social Security numbers or any financial information; it was limited to first and last names of patients, along with dates of birth and hearing tests. The laptop and the program containing the data each were password protected.
Q: Was there a specific time period for the records stored on the device?
A: Yes, the information stored on the laptop is hearing aid patient data since approximately 2003.
Q: Were all my records stored on the computer?
A: No. Complete medical records were not stored on the laptop or available in the few paper charge slips.
Q: How did Medcenter One become aware of the incident?
A: The employee whose vehicle was vandalized reported it both to the police and Medcenter One officials immediately the morning of Oct. 24, 2011 when it was discovered.
Q: How did Medcenter One respond to this incident?
A: Medcenter One acted immediately by working with the employee on obtaining a copy of the computer files and charge slip information in order to identify individuals impacted by the incident. Medcenter One then moved quickly to obtain addresses for and notify the individuals. Medcenter One reported the incident to the US Department of Health and Human Services—Office for Civil Rights.
Q: What is Medcenter One doing to prevent this from happening in the future?
A: Medcenter One is reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood this will happen again. In addition, Medcenter One will provide additional education and awareness to its associates.
Q: Am I at risk for identity theft due to this event?
A: We believe it is very unlikely, but there is a possibility. There is no evidence suggesting the information has been accessed or misused. Medcenter One has engaged Experian, and its ProtectMyID program, to provide assistance to identified individuals who would like further identity theft follow-up.
Q: Why wasn’t I notified sooner?
A: The process for resolving this incident included a time-intensive investigation in order to identify facts and impacted individuals. Addresses for the select group of impacted individuals had to be obtained.
Medcenter One worked diligently to complete those tasks as well as gather helpful information and services to offer to impacted individuals.Q: I got a letter from you that mentioned the ProtectMyID program. What should I do?
A: Medcenter One has contracted with Experian, and its ProtectMyID Alert program, to provide free credit monitoring to individuals who would like further identity theft follow-up regarding their personal information. If you are an impacted individual, you have 30 days from the day you received the letter to contact Medcenter One so we can explain and begin the implementation process. Please call 701.323.2871 or toll-free 855.205.5786, or email hipaa@mohs.org.