The following notice was posted by the Georgia Department of Behavioral Health and Developmental Disabilities on their web site yesterday. Spoiler alert: they do not say whether any policies requiring encryption or security of mobile devices were violated by the employee who left the laptop in an unattended vehicle. Nor are they offering any free credit monitoring services, even though SSN and date of birth were among the PHI stolen. Saying that a program will wipe the data if someone attempts to connect to the Internet does not protect the data if the thief simply powers up the laptop and finds all that data:
A laptop owned by the Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) was stolen from an employee’s vehicle on August 14, 2014, while the employee was attending a conference in Clayton County, Georgia. The device contained protected health information (PHI) of individuals receiving services funded through DBHDD. At this point, there is no evidence that any confidential information has been accessed or used.
The PHI contained on the laptop relates primarily to individuals served by DBHDD’s region six office located in west central Georgia. Anyone whose personal information is believed to be on the missing laptop should have received a letter from the department. The letter explains the incident and gives the toll-free number (844-888-5998) for individuals to call with questions about their personal information. The letter also provides information for those who may be concerned about the possibility of unauthorized use of their personal information. It also explains how to get a free credit report and place a fraud alert on your credit report.
Because the laptop contains information of more than 500 individuals, the Health Insurance Portability and Accountability Act (HIPAA) requires that DBHDD notify the media about the incident. We have followed the reporting procedures mandated by the U.S. Department of Health and Human Services. The media notice, letter and this website provide information on how to contact DBHDD and federally-approved companies that offer free credit reports and free fraud alerts on those credit reports.
We regret the theft of the laptop containing personal information of individuals who receive our services. We apologize for any inconvenience this may have caused. We want the public to know that we take seriously the confidentiality of protected health information about the people we serve. The department is taking all reasonable steps to investigate this matter. We are also taking proactive steps to protect confidential information by reducing the risk of information being accessed by unauthorized persons in the future.
For more information, please see the Frequently Asked Questions and the information on how to request a free credit report and fraud alert below.
*******************************
Frequently Asked Questions
How was the laptop stolen?
An employee of the Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) was staying at a hotel in Clayton County, Georgia on official business. The thief smashed a car window and removed the laptop.
What information was on the stolen laptop?
The laptop contained protected health information (PHI) of individuals receiving DBHDD-funded services. In this case, the PHI included name, address and phone number, date of birth, name of guardian (if any), marital status, social security number, Medicaid number, diagnosis, behavioral data and other information.
How many individuals may be affected by the theft?
The laptop contained PHI of 3,397 individuals.
Has this incident resulted in any identity theft? Are bank and credit card accounts at risk due to the theft?
The investigation has not shown that anyone’s personal information has been accessed or used. No known identity thefts have been linked to this incident. However, anyone who wants to know whether his or her information is on the laptop should call DBHDD at the toll-free number 844-888-5998. This number will be available until January 9, 2015, for the purpose of inquiries on this incident only.
How is DBHDD notifying individuals whose PHI may have been compromised?
DBHDD has sent individual letters to clients (or their guardians) giving them information on how to request free credit reports, and request a free fraud alert on their credit report from federally-approved companies. DBHDD has provided a contact within the department for this information. Call 844-888-5998 (toll-free, open until January 9, 2015).
What measures are being taken to determine whether PHI has been stolen?
A law enforcement investigation into the theft is underway. DBHDD is also conducting an internal investigation into the incident. Additionally, there are security measures in place on the laptop which will wipe the data and prevent access to the PHI if an unauthorized user attempts to access the internet.
How will the department protect data security in the future?
The nature of DBHDD services requires employees to work in the field and have access to protected health information (PHI) while on-location. We cannot ensure that devices are never stolen, but the department is taking active steps to secure and protected health information. This includes strengthening department policies and procedures related to PHI and increasing training on security awareness regarding DBHDD-issued laptops. The department is also working to ensure that all laptops are encrypted and that PHI can only be accessed using a virtual private network (VPN), so that no protected data is stored on a laptop.