Just because you don’t remove the laptop from the office, don’t kid yourself that it’s secure. We’ve seen a number of incidents where laptops have been stolen from offices where the failure to encrypt the laptops resulted in breach notice costs for the entities. The latest entity to incur breach costs due to failure to adequately secure is St. Therese Medical Group in Bakersfield, California. They sent out letters today to patients and providers whose information was on an unencrypted laptop stolen from their offices on July 22.
In their notice to affected patients, the Bakersfield-based practice states that the laptop held patients’ name, date of birth, Social Security number, name of health insurer, date of treatment, amount billed, and account balance.
In addition to patient information, providers’ information was also on the unencrypted laptop: name, home address, telephone number, Social Security number, Drug Enforcement Agency number, driver’s license number, medical license number, malpractice history, and national provider identification.
That’s a lot of information to be left unencrypted. A lot.
Despite all of HHS’s education efforts, it seems the word still hasn’t gotten out. Or if it has, it’s not being taken seriously enough.