DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Psychological assessments provider notifies patients after laptop with PHI stolen in office burglary

Posted on December 17, 2013 by Dissent

A breach reported by Comprehensive Psychological Services LLC in South Carolina was added to HHS’s public breach tool yesterday. According to HHS’s entry, 3,500 patients were notified after a laptop was stolen from the practice’s office on October 28.

Comprehensive Psychological Services LLC offers a range of assessment and evaluation procedures including neuropsychological testing, educational testing, custody evaluations, and other services. As such, their records tend to contain sensitive PHI.

Although I was unable to find any media coverage of the breach or notice on their web site at this time, Dr. Hahari kindly e-mailed me a copy of the media notice they had run on November 5. The notice states that a burglar stole a laptop computer by smashing an office window to gain entry. Although the stolen laptop  had password protection “with a complex numerical code,”  patient files were not encrypted, and Dr. Hahari informed patients that “if the burglar was able to decode the password, then it would be possible to access your protected health information.”

The theft was immediately reported to the Columbia Police Department.  Although the practice reported that they had no evidence of any access to or misuse of information on the laptop, they dutifully informed patients:

There are two sources of protected health information on the laptop computer. The first source of protected health information on the laptop is a computer program called “Customer Appointment Manager,” which was utilized for scheduling purposes. The Customer Appointment Manager program contains the individual patients’ name, date of birth, phone number, address, the name of the health insurance company, appointment date, and a brief description of the presenting concern. Importantly, the Customer Appointment Manager did not contain social security numbers, financial information (credit cards), or health insurance identification numbers.

The second source of protected health information is contained in each patient’s treatment records including therapy notes and psychological reports. This data typically includes the patient’s name, date of birth, report date, tests utilized, family background information, test results, diagnostic impressions, and recommendations for future services. At the conclusion of the report, there is a list of the billing codes utilized by health insurance payers. Similar to the Customer Appointment Manager, there is no information pertaining to financial information (credit cards) or health insurance identification numbers contained within the treatment records. It is noted that the only evaluations conducted by this office that may have contained social security numbers was for the S.C. Department of Disability Services prior to April 2007. Otherwise, for any other evaluations or therapy sessions prior to April 2007, and all services conducted in this office after April 2007, your social security number was not recorded.

Patients were given advice as to how to protect themselves, including examining bills or insurance statements (EOB’s) and immediately reporting any suspicious activity to Comprehensive Psychological Services and health insurers.   They were also advised:

 The following information is provided to assist you in the protection regarding financial identity. In the abundance of caution, despite not having any record of credit card information, insurance identification in the laptop files, and no listing of the social security numbers (with the possible exception of Department of Disability Service evaluations conducted prior to April 2007), it is recommended that you place a fraud alert on your credit file.

CPS also indicated that as part of their active commitment to improving security to ensure a similar incident doesn’t happen again, they were “developing a system that will use a higher standard of security to protect your confidentiality and personal information.”

They do not specify what the details of that of system will include, but it seems obvious that it will need to involve greater physical security and technical safeguards.

Thanks to Comprehensive Psychological Services LLC for providing the information used in this post.

Category: Health Data

Post navigation

← Facebook rolls out a Donate Now button to help charities; will store your credit card info
Assessing Bitcoin’s benefits, security risks in healthcare →

3 thoughts on “Psychological assessments provider notifies patients after laptop with PHI stolen in office burglary”

  1. Anonymous says:
    December 19, 2013 at 1:31 pm

    “if the burglar was able to decode the password, then it would be possible to access your protected health information”

    No. The burglar has their information if any of the following:

    * He resets the Windows password
    * Removes the hard drive and uses it with a different computer
    * He attaches a new primary hard drive and uses that to start Windows

    So, basically, if the “burglar” has *any* desire whatsoever to get the data, he will.

    1. Anonymous says:
      December 19, 2013 at 1:56 pm

      Yes, and your comment applies to all of these password-protected-only breaches. At least the provider isn’t doing what providers used to do – simply tell recipients that something was “password-protected” as if that gave good protection. As consumers become even more savvy, they will come to learn that there are various ways data can be accessed or retrieved from stolen devices.

      I think HHS could be of more help to covered entities by providing some template language they could use to notify patients that would be more accurate but not too technical for the average patient or consumer. Maybe that’s something you and I could draft and even post on this site to help get the word out.

      1. Anonymous says:
        December 19, 2013 at 2:07 pm

        Yes. Absolutely.

        Even providing guidelines for use, such as prohibiting the use of misleading, placating assurances like “it was password protected”, “we have no reason to believe your information has been used maliciously” or “your security is very important to us”. Okay, maybe not the last one, but you get the point.

        Adding a “personal identity breach level” value may also be worthwhile, since the current metrics are solely focused on aggregate (e.g. not personal) impact.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.