Last week, HealthFitness notified Gerdau that there was a possible data breach of the personal health information of some of its employees, spouses and dependents, according to a news release cited in a Jackson Sun news story:
The letter notes that HealthFitness, which works as the third-party administrator for Gerdau’s health management and wellness program, discovered that a laptop containing information pertaining to the program was stolen from a HealthFitness employee.
The information on the laptop included information for individuals to enroll in the health management program — employee and/or spouse name, birth date, health plan election and Social Security numbers.
Read more on Jackson Sun.
Because I could not find a copy of the press release online or on either of the two entities’ web sites, PHIprivacy.net emailed Gerdau over the weekend asking for additional details, including:
1. When was the laptop stolen, and where?
2. Was it stolen from the employee’s car or home or…?
3. When did HealthFitness report the theft to Gerdau?
4. How many people total (employees, spouses, dependents) were affected by the breach?
5. Did Gerdau have a Business Associate contract in place with HealthFitness, and if so, did HealthFitness violate any security clauses in the contract? Specifically, were the data on that laptop supposed to have been encrypted, and did the employee have permission to remove the data from their offices?
6. What steps is Gerdau taking to prevent a similar problem in the future?
Gerdau did not respond by the time of this publication, but I will update this post if they do.