Arizona physician Jeffrey Paul Edelstein M.D., notified HHS that a computer server stolen from a locked closet in his office on May 28th contained information on 4,800 patients.
In a notification letter to affected patients dated July 24, Dr. Edelstein noted that preliminary investigation suggested the theft was committed by someone who had key access to the building, but by itself, that doesn’t explain how the thief got into the dead-bolted closet in his locked office where the server was housed.
Dr. Edelstein attempted to reassure his patients:
The billing and medical record software was fully compliant with federal regulations of the Health Insurance Portability and Accountability Act (HIPAA) and contained multiple layers of password protection.
Nevertheless, the server contained both patient electronic medical and billing records, including protected health information, names, social security numbers, dates of birth, addresses, telephone numbers, account numbers, and diagnoses. Please note that due to security precautions in place prior to the robbery, this data is not easily retrievable. It would be extraordinarily difficult to obtain access to your personal data without significant computer expertise. It is likely that the hard drives would be reformatted, or entirely erased, in order to use the stolen computer. This would be consistent with the motive of the crime which appears to be a cash sale rather than to retrieve any information stored on the server.
[…]
Please note that I have taken several measures to ensure that this does not occur in the future. I immediately changed all office locks, installed an alarm system, terminated my current cleaning service, limited key access to myself for the office server closet, changed passwords, and now utilize a third-party offsite encrypted backup record of patient files. The building management firm was also terminated.
It seems like they really do suspect an inside job on this one.