IT solutions provider SynerMed has been notifying patients whose PHI was on a laptop stolen from an employee’s car. The PHI in question was from members of Inland Valleys IPA.
According to their notification letter, the laptop was stolen on the night of April 14 or morning of April 15, while the car was parked outside the employee’s home. The employee notified the firm and law enforcement immediately, and SynerMed was able to take steps to protect the data from that point forward:
The laptop was password-protected, and any ability to use the laptop to connect to SynerMed systems was eliminated immediately in the early morning, April 15.
Although the computer did not include Social Security numbers, reports on the laptop could have contained member name, membership number, member address, CPT Code, Diagnosis Code, and date of birth (in some cases). No financial information was on the laptop.
You can read the notification letter here.
Disturbingly (to me, anyway), the firm does not apologize or indicate that leaving a laptop with PHI on it in an unattended vehicle violates its security protocols. Did it violate their policies, and if not, why didn’t they have any such policy? And if they did have a policy and it wasn’t followed, has the employee been disciplined?