Hillary Davis reports:
A burglar swiped a laptop and hard drive containing sensitive medical and personal data for hundreds of mental health patients from Yuma and across the state.
Alicia Z. Aguirre is the general counsel for Yuma’s Arizona Counseling and Treatment Services, a contracted provider with Cenpatico Behavioral Health of Arizona. It was one of her employees who was the victim of the burglary last month.
“Sometime between March the 18th and the 25th, someone broke into an employee’s home and stole a work laptop and external hard drive,” among other belongings, she said.
The drive, which I will assume was not encrypted based on ACTS’s response and statements, held patients’ names, dates of birth and treatment plans of more than 500 patients served by ACTS and Cenpatico between 2011 and 2013. Social Security numbers and financial information were reportedly not involved.
Somewhat surprisingly to me, the general counsel for ACTS said their employee, who had permission to bring the laptop and information home, was not at fault.
Well, if the employee is not at fault or responsible for what might appear to be a failure to provide adequate physical security and adequate technological security such as encryption, then who is at fault? Did ACTS have policies in place that the employee failed to follow or did they not have sufficient policies in place? And was Cenpatico aware that devices with unencrypted PHI were being removed from ACTS’s premises and taken home by the employee? Did their contract with ACTS require encryption? Cenpatico’s office is closed at the time of this posting, so I was unable to put those questions to them prior to publication, but I left a message for them asking to speak to them about the incident.
In a conversation with a spokesperson from HHS this week, I learned that despite HHS’s previous statements to me that it investigates all breach reports, it turns out that the decision to investigate is made by regional directors. Although HHS’s original intention was to investigate all breaches, the sheer number of breach reports and the lack of adequate resources resulted in a change in their policy.
Hopefully, HHS will investigate this breach to determine if ACTS and Cenpatico complied with HIPAA’s Privacy Rule and Security Rule.
Read more on Yuma Sun. Neither ACTS nor Cenpatico Behavioral Health of Arizona appear to have any notices on their respective web sites as of the time of this posting, but I expect that there will be something on ACTS’s web site by Friday.