On March 2nd, home health and hospice care provider Amedisys issued a press release that disclosed that during a risk management inventory of their devices, which commenced during the second half of 2014, they were unable to locate 142 encrypted computers and laptops. The devices had been assigned to Amedisys clinicians and other team members who left the company between 2011 and 2014.
As a result, Amedisys is notifying HHS and appropriate authorities, and on February 28, 2015, began sending notifications to 6,909 patients potentially impacted.
“Amedisys has no indication of external hacking into its network, and no evidence that any patients or former patients have suffered any actual harm,” the firm writes, noting that all devices are robustly protected with 256-bit disk encryption, administrator restrictions, and “several other security protections designed to safeguard the personal and medical information of the Company’s patients.”
Depending on the device, the information on the missing devices may have included any or all of the following: name, address, Social Security number, date of birth, Medicare and insurance ID numbers, medical records and other personally identifiable data.
For clinician-assigned laptops, these records related only to those patients assigned to the clinicians who used a device to provide healthcare services. As the firm notes, however, former employees had access to the encryption key for local access to their formerly assigned device although Amedisys disabled their network password. So clinicians who failed to return their devices on termination from the company would still have access to the patient information on their device. An assessment of devices that Amedisys was able to recover, conducted by Booz Allen Hamilton, has reportedly shown that,
in the vast majority of cases, no one has accessed or used the patient information on the devices subsequent to the team member’s departure from Amedisys. As regards the minority of instances in which post-departure access occurred, we have no evidence to indicate that such access was made for any improper purpose.
Potentially impacted individuals are being offered identity theft protection services through Kroll, including credit monitoring, to protect against any possible harm that could arise from the incident.
The firm has retained Booz Allen Hamilton to assess and enhance its security and inventory systems and practices to ensure the protection of sensitive patient information.
Incident-Related Files:
- Overview by Amedisys
- Press Release
- Letter to Patients
- Frequently Asked Questions about the incident
- Amedisys offer of identity theft protection services through Kroll
- Sidley Austin LLP letter of March 2nd to NH Attorney General’s Office (pdf)
With the exception of their attorneys’ notification to New Hampshire, all files are on Amedisys’s web site, with the breach incident prominently linked from their home page. Amedisys’s breach disclosure and documents are a great example of clear writing and transparency. I realize some may raise questions about their security protocols and failure to ensure devices were returned on termination, but given that this happened, their response has been appropriate, I think, and they seem to be taking necessary steps to prevent a recurrence.