Richard Craver reports that an office burglary snagged a laptop with unencrypted patient data:
A laptop computer stolen from a local behavioral-health provider on Dec. 13 contained medical data for 2,070 individuals in Davie, Forsyth and Stokes counties, the provider said Friday.
Triumph LLC, which is based in Raleigh, notified clients and family members of the breach through letters mailed Thursday. Triumph provides psychiatric evaluations, medication monitoring, clinical assessments and outpatient therapy.
[…]
The laptop included spreadsheets with names, dates of birth, medical record numbers, insurance and Medicaid numbers, billing codes and authorization status, Caldwell said. It didn’t include Social Security numbers, diagnostic codes “or specific financial information.”
Read more on Winston-Salem Journal.
The part that caught my eye was this:
When asked why Triumph took six weeks to notify the clients, Caldwell said the provider had been working with police to determine whether the laptop would resurface.
“When it became clear it wasn’t going to, we needed to let the individuals know,” he said.
That might suggest that if the laptop had been recovered, patients might not have been notified of the theft. Perhaps they meant that they intended to notify anyway but were just waiting to see if it would be recovered? Even if a laptop is recovered, how can an entity be sure that the drive wasn’t copied without leaving any trace of copying? I realize my standards are more stringent than HIPAA’s, but I think entities should notify patients even when devices are recovered (unless strong encryption was used, and then, I can see justification, perhaps, for not notifying).
Update: The incident was added to HHS’s breach tool on February 24, 2012.