In December, 2012, University Dental Associates at the Maimonides Medical Center in Brooklyn, New York notified 2,400 patients that a laptop containing their PHI had been stolen from their office. Although the theft both occurred and was discovered on November 21, it was not reported to the NYPD until November 26, 2012.
The computer was password-protected, but files were not encrypted, and contained patients’ names, Social Security numbers, addresses, dates of birth, and billing codes for services the patients received.
I’ve uploaded a copy of the notification letter submitted to NYS Division of Consumer Protection, obtained in response to a freedom of information request. It was signed by partners Alvin D. Fried, DDS and Julius R. Berger, DDS, and did not offer patients any credit protection services. It did state, however, that appropriate governmental agencies had been notified in December 2012. Presumably, that would include HHS, but I do not see this breach on their public-facing breach tool. Is HHS that far behind in verifying breaches?
Once I became aware of this breach, I was able to find a copy of the breach notice on the practice’s web site.
Curiously, this is the second breach I’ve learned about today that involved the theft of a laptop with unencrypted patient data from a dental office and the second breach of this kind that doesn’t appear on HHS’s breach tool yet. It seems that encryption is still not being routinely deployed, which is a concern. I wonder if HHS will decide to send a stronger message that HIPAA-covered entities cannot count on physical security in their offices to protect PHI.