Two recent updates to HHS’s breach tool left me wondering what had happened as I could find no media coverage:
United Home Care Services of Southwest Florida< LLC,FL,”United HomeCare Services, Inc.”,1318, 1/8/2013,Theft,Laptop,3/27/2013,,
United HomeCare Services, Inc.”,FL,,12299, 1/8/2013,Theft,Laptop,3/27/2013,,
I contacted United HomeCare Services, Inc., a not-for-profit organization that provides services for over 5,000 frail and elderly individuals in Dade County. The organization has been providing services for 40 years, and is the parent of United Home Care Services of Southwest Florida, LLC.
According to a spokesperson, on January 8, the billing manager took a laptop home with her, with permission. But on the way home, she stopped off to visit an ill friend for 10 minutes, leaving the laptop on the front seat of her locked car. In that short timeframe, someone smashed the window of the car and stole the laptop. The theft was reported to the organization on January 9. UHCS reported the theft to the police and even hired a private detective to try to recover it. As of today, however, the laptop has not been recovered. Frustratingly for everyone, that laptop had password protection but no encryption as it was one of the last remaining laptops scheduled to be updated to add encryption.
It took the agency time to compile exactly what information was on the laptop, but using a roaming profile, they were able to determine that data on clients going back to 2002 were on the device. For some clients, the information may have been just a name and address, while for others it may have been name and date of birth, or name and Social Security number. According to the spokesperson, there were very few diagnostic codes or treatment service codes on the laptop.
All told, records on 1,318 United Home Care Services of Southwest Florida clients and 12,299 clients of United HomeCare Services, Inc. were on the stolen laptop
The 13,617 affected clients were sent a notification letter in February in compliance with Florida’s privacy rule that requires notification within 45 days. On March 8, they were sent a second letter to comply with HIPAA. The March 8 letter informs recipients:
This information may have included one or more of the following for you or your family member: name, social security number, date of birth, home address, service dates, health plan numbers, or diagnosis.
Those affected were offered two years of free credit monitoring. The organization has ensured all of their laptops are now encrypted and are in full compliance with their encryption policy. Additionally, all employees have been retrained on maintaining the security of their laptops and the privacy of client records, and are sent monthly staff reminders regarding privacy and security issues.
Both UHC and UHC SWFF issued press releases on March 8, which they kindly provided to this site with a copy of their March 8 notification to clients (.doc).
Parenthetically, I note that this will count as two breaches in HHS’s breach tool, but it is really one incident.