American Sleep Medicine of San Diego, which describes itself as conducting more than 4,000 sleep studies each year, is notifying an undisclosed number of patients that some of their personal information was on an external hard drive stolen from a locked server room. The theft was discovered on March 3rd and reported to the San Diego Police Department.
In a letter to affected patients, Jim Evanger, President of ASM, writes that the hard drive contained information from sleep studies conducted in 2012, including:
- name
- date of birth
- referring doctor
- interpreting doctor
- medical history; and
- sleep study results.
The breach does not include Social Security numbers, Driver’s License/California Identification Card numbers or any financial account information, and ASM reports that there has been no indication that information has been used for any unlawful purpose. That said, they cautioned patients about checking explanation of benefits statements for any signs of misuse and suggested that they might want to obtain credit reports to look for unexplained medical bills. Because they do not mention medical insurance account numbers being involved in the breach, it’s not clear to this blogger how medical ID theft could occur unless a criminal used the information to socially engineer the patient or a doctor to obtain the insurance number.
In response to the incident, ASM is removing and destroying all remaining external hard drives going forward.
You can read the full notification letter on the California Attorney General’s web site. The letter is dated April 15, and has not shown up yet on HHS’s public breach tool, where we will find out the number affected, assuming it’s more than 500.