WBIR reports that 2,777 patients referred to Tennova Cardiology by Summit Medical Group in Tennessee are being notified that their PHI was on a laptop stolen from the car of an unnamed third-party transcription contractor. The theft occurred October 22.
The information on the stolen laptop may include names, dates of birth, referring physician names, and health information about patient treatment and diagnostic procedures. There is no evidence that any Social Security numbers were included in the information contained on the laptop.
The contractor is no longer performing services for the physician group.
There is no statement up on Tennova’s site as of the time of this posting, and it’s not clear whether the contractor is no longer working for the group as a direct result of this breach. From Tennova’s statement:
“Tennova Cardiology has no reason to believe that this information has been accessed or misused in a way that would cause harm to the affected patients.
Was there software on the laptop that phones home? If not, how can they say anything about the data being accessed? And why did it take so long to notify patients? When did they first learn of the laptop theft from the contractor?
This is where HHS will want to see any BA contract Tennova had with the transcription contractor. And if they don’t want to see it, I do. Did their contract require the contractor to make notifications to patients in the event of a breach? Will the contractor be picking up the cost of notifications, etc.?
Read more on WBIR. KnoxNews also covers the story, but it’s behind a paywall.
UPDATE: WATE reports Tennova was notified the day after the theft.