Alexis Krell reports:
A South Sound doctor who visits patients at local nursing homes said Monday his laptop computer with personal information of about 900 patients he’s seen for the past three years was stolen from his vehicle.
Dr. Ronald Schubert, whose practice is based in Federal Way, said he saw the patients between January 2011 and November 2013 in Pierce, Thurston and Kitsap counties. Information on the stolen computer includes names, Social Security numbers, birth dates, addresses and medical information.
Read more on The News Tribune. This incident had been added to HHS’s breach tool in the January 10 update, as I reported here.
Of note, Dr. Schubert’s license to practice medicine was (and remains) under probation at the time of this incident. He had been disciplined by the state over serious charges involving sexual misconduct with a patient that went on for over seven years. As a result of the disciplinary action, Dr. Schubert was and is required to comply with all state, federal, and local laws and administrative rules governing the practice of medicine. Could violating HIPAA’s Security Rule run him afoul of that provision of the order? Possibly, although I suspect the state is more concerned about the misconduct and boundaries issues and this incident will have little or no impact on his probationary status.
But that brings us back to a question I’ve posed previously on this blog: are covered entities who have violated the ethics or licensing rules due to failure to control impulses – whether for alcohol, drugs, or sex – more likely to have data/HIPAA breaches that are also related to failure to control impulses (such as impulse to check a state database about a non-patient, or impulsively leaving a laptop in the car when prudence dictates you take it with you, etc.)?
I think it’s an interesting question that someone might want to research by starting with a sample of covered entities who have reported breaches and backtracking to determine what percent of them had disciplinary action against their licenses prior to the breach. And compute the same statistic for a matched sample of providers who have not reported any breaches.
It’s just a thought….