The Rome News-Tribune in Georgia reports:
Heyman HospiceCare is offering patients who may have had their personal information on a stolen and still-missing laptop a free one-year membership to a credit monitoring service, according to a news release from Floyd Medical Center.
According to the news release:
A password-protected laptop was stolen Jan. 4 from an employee’s car. The laptop may have contained clinical and demographic information about patients, including names, addresses, phone numbers, birth dates, Social Security numbers, insurance policy numbers.
Read more on the Rome News-Tribune.
A notice is linked from the medical center’s home page.
Privacy Notice for Heyman HospiceCare at Floyd Patients
Heyman HospiceCare at Floyd (“Heyman HospiceCare”) is committed to protecting the personal information it maintains on behalf of its patients. Regrettably, this notice is regarding an incident involving some of that information.
On January 4, 2013, Heyman HospiceCare became aware that a password-protected laptop went missing from an employee’s car earlier that same day. The incident was reported to the police, and Heyman HospiceCare immediately began a thorough investigation to identify the information that was contained on the laptop. To date, the laptop has not been located. Although information on the laptop was not encrypted, it was protected by additional security software that would make it difficult for the average person to access any information.
Heyman HospiceCare’s investigation concluded that the laptop may have contained clinical and demographic information about patients, including names, addresses, phone numbers, dates of birth, and Social Security numbers, as well as insurance policy numbers, diagnoses, visit notes, physician names, caregiver names, and advance directives. Patient financial information was not on the laptop, and medical information has not been lost. The incident affected only certain patients treated between July 1, 2006, and January 3, 2013.
Heyman HospiceCare has no reason to believe that the laptop was taken for the information it contained, or that the information has been accessed or used improperly. In an abundance of caution, Heyman HospiceCare began mailing letters to affected individuals on February 15, 2013. Heyman HospiceCare is also providing a dedicated call center to answer questions for affected patients. Heyman HospiceCare is also offering eligible individuals a free one-year membership in three-bureau credit monitoring service provided by TransUnion, one of the three major nationwide credit reporting companies. If you believe you are affected but do not receive a letter by February 28, 2013, please call toll free 1-866-264-1049, Monday through Friday between 9 a.m. and 7 p.m. Eastern time.
Heyman HospiceCare deeply regrets any inconvenience or concern this may cause patients. Heyman HospiceCare is committed to safeguarding patients’ personal information. To help prevent something like this from happening in the future, Heyman HospiceCare is implementing a more disciplined approach to its encryption for all laptop computers and re-educating staff on policies and procedures for securing such mobile devices.
Hospice is usually a relatively short-term care, available for patients not expected to live more than 6 months. So why were data for patients from 2006 on the laptop? What was this employee’s job and why did so much data need to leave the office?
Earlier this year, Hospice of North Idaho was fined $50,000 by HHS after a laptop with PHI was stolen from an employee’s car and HHS’s investigation revealed that the hospice had not conducted a risk analysis and had no policies in place to secure mobile devices. Had Heyman HospiceCare conducted a risk analysis? Did they have policies in place? Eventually, we’ll find out, but it is frustrating to learn that so many years after HIPAA went into effect, we are still reading reports like this one.