DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

DaVita notifies dialysis patients of breach

Posted on November 7, 2013 by Dissent

Adam Greenberg reports that DaVita is notifying approximately 11,500 dialysis patients of a breach that occurred when a laptop with unencrypted PHI was stolen from an employee’s car.

The notice on DaVita’s site, dated Nov. 5 and linked from its home page, reads:

DaVita®, a division of DaVita HealthCare Partners Inc., reported today that on Sept. 6, 2013, a laptop was stolen from a teammate’s vehicle. Although DaVita maintains a company-wide program and policy requiring encryption of laptop computers, DaVita discovered that the encryption technology on this particular device had been unintentionally deactivated.

DaVita has determined that personal information belonging to approximately 11,500 patients was on the laptop at the time of the theft. In most cases, this information included details such as name, clinical diagnoses (e.g., end stage renal disease), insurance carrier name, claims payment data and dialysis treatment information. For approximately 375 patients, the information stored on the laptop included Social Security numbers. Personally identifiable information for a very small number of DaVita teammates was also stored on the laptop. All affected individuals will receive letters with additional information.

DaVita takes its responsibility to protect its patients’ information very seriously and maintains extensive security and privacy programs. The laptop in question was password-protected and the theft was reported to law enforcement. DaVita has no evidence that the data on the laptop has been accessed or used. Nonetheless, out of an abundance of caution and to ensure that patients are protected, DaVita is offering affected patients one year of credit-protection services, including credit monitoring, identity recovery assistance and identity theft insurance through idexperts® at no charge.

“We sincerely apologize for any inconvenience or concern this incident may cause our patients,” said DaVita spokesperson Skip Thurman. “DaVita has reviewed its encryption practices and implemented additional safeguards to protect against any future instances of non-compliance with our encryption policies and procedures.”

Patients with questions or concerns regarding this incident or those seeking assistance with establishing their credit monitoring services can call 1-866-797-3792 toll free Monday through Friday, 9:00 a.m. to 9:00 p.m.EST.

DaVita and DaVita HealthCare Partners are trademarks or registered trademarks of DaVita HealthCare Partners Inc.

If DaVita’s name rings a bell, it may be because I reported three other breaches they experienced in 2008 and 2009:

  • In March 2008, they reported that a laptop stolen from an employee’s car contained unencrypted patient information that included insurance filings for dialysis services for current and former patients, including name, social security number, medical insurance coverage information, and/or other personal and health related information.
  • In December 2008, DVA Renal Healthcare reported that unencrypted patient information was involved in a burglary at a Florida facility and that the “documents may have contained your name, social security number, medical insurance coverage information, and/or other personal and health-related information.”
  • In August 2009, they reported that Renal Treatment Centers Southeast – LP, an affiliate of DaVita, suffered a data loss when a DaVita facility in Dallas was burglarized and multiple desktop computers were stolen. The stolen hard drives contained dialysis insurance documents which contained patients’ names, addresses, SSN, insurance numbers, treatment records, progress notes, and other personal or medical information.

Four incidents of theft involving unencrypted patient information? Given that we don’t find out about most breaches, this may not be an unusual rate for a 5-year period, and if they went four years without a reportable breach, then that may reflect progress. It’s also commendable that this time, unlike past breaches, they offered affected patients free credit-monitoring services.   But four breaches that all could have been avoided if encryption had been properly deployed and verified on a regular basis?  How…. frustrating.

Related posts:

  • Florissant dialysis center faces class-action lawsuit after I-Team investigates
  • FL: Physicians Dialysis Provides Notification of Data Security Incident
  • Dialysis firm DaVita hit by ransomware attack (1)
  • Dialysis patients' SSN and health info on laptop stolen from DaVita employee's car
Category: Health Data

Post navigation

← XSplit Password Reset Alert – Protecting Your Twitch Account
Video: What is Anonymous →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.