DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oral surgeon notifies former patients after laptop with their PHI was stolen from his office (updated)

Posted on May 31, 2013 by Dissent

Closing a private practice is not the end of our data security concerns, as a breach earlier this year reminds us.

In January, attorneys for Lee D. Pollan, DMD, PC notified the NYS Division of Consumer Protection  that PHI of 13,806 former patients was on a  missing laptop.  The laptop reportedly went missing from the oral surgeon’s office in North Chili, New York sometime after November 6, 2012 and was discovered missing on November 15, 2012.  Dr. Pollan had closed his private practice  in December 2011, but still needed to access the patient data at times, which is why the laptop was in his current office.

On January 11, Dr. Pollan notified those affected that the laptop was probably stolen from his office, and their names, addresses, dates of birth, Social Security numbers, diagnosis code, surgical billing codes, and person responsible bills were on it.  The laptop was password protected, but the files were not encrypted.  As he explained, Dr. Pollan thought the laptop would be secure in his current office.   Although the laptop was stolen, the patients’ data had been backed upOr, and Dr. Pollan indicated that he was (now) encrypting the backup drive.

In compliance with HITECH requirements, a substitute notice was also published in the local media at the time.

The patients were not offered any identity theft prevention services.

This incident does not appear on HHS’s breach tool, but that does not necessarily mean that the breach was not reported to them.  Unfortunately, the doctor’s law firm, Harter Secrest & Emery LLP, did not respond to an inquiry I sent them about whether the breach had been reported to HHS. If they do respond, I will update this post. (UPDATE:  the breach was reported to HHS, as per their attorneys).

Information for this blog entry is based on the filing with NYS, which I obtained as part of my research for DataLossDB.org under a freedom of information request. I have a slew of reports to wade through, and may find other healthcare breaches that were previously unknown to us. All of the data will eventually be added to DataLossDB.org’s database.

Update: as subsequently reported on this blog, this incident was reported to HHS as affecting 19,178. On May 28, 2014, HHS posted an update to their breach tool:

As a result of OCR’s investigation, the CE encrypted the backup drive of the contents of the laptop computer. The CE also trained all staff on the use of encryption to safeguard data on personal computers and mobile devices.”

Category: Health Data

Post navigation

← Data breach notification rules should only apply where individuals are ‘severely affected’, say EU Ministers
Rosewood Inn of the Anasazi to notify customers of security breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.