As noted previously, Independence Care System in New York notified 2,434 patients after a laptop containing their PHI was stolen on May 7. ICS kindly provided PHIprivacy.net with a copy of their substitute notice of May 31st:
New York City Managed Long-Term Care Plan announces theft of laptop containing member information.
On May 7, 2013, Independence Care System, a managed long-term care plan serving senior adults and people with disabilities in New York City, discovered that, during a burglary at the home of a staff member, an ICS laptop containing information regarding 2,435 members was stolen. For nearly 60% of the affected members, the information included the member’s name, zip code and ICS Member ID number; for the remainder, the information also included the member’s street address, phone number, Medicaid ID number, and enrollment and/or disenrollment dates. No medical, financial or Social Security Number information was contained on the laptop. This press release is being issued in compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations. ICS has offered one year of free credit monitoring to affected members.
The incident was immediately reported to the New York City Police Department. ICS has not received any indication that the information has been accessed or used by an unauthorized individual.
The affected members have been notified in writing as required by the Health Insurance Portability and Accountability Act (HIPAA).
# # #
Independence Care System is dedicated to supporting adults with physical disabilities and chronic conditions to live at home and participate fully in community life. ICS operates a nonprofit Medicaid managed long-term care plan serving Manhattan, Brooklyn, the Bronx and Queens. http://www.icsny.org
In a separate statement to PHIprivacy, an ICS spokesperson indicated that the employee was authorized to take the laptop home, and although ICS had procedures in place to protect member privacy, they are taking additional steps to prevent this type of incident from happening again. Specifically, ICS is “accelerating the implementation schedule of several planned security projects, including encrypting all laptops and implementing two-factor authentication for network access. This work is underway and will be completed by September 1, 2013.”