A breach reported by Comprehensive Psychological Services LLC in South Carolina was added to HHS’s public breach tool yesterday. According to HHS’s entry, 3,500 patients were notified after a laptop was stolen from the practice’s office on October 28.
Comprehensive Psychological Services LLC offers a range of assessment and evaluation procedures including neuropsychological testing, educational testing, custody evaluations, and other services. As such, their records tend to contain sensitive PHI.
Although I was unable to find any media coverage of the breach or notice on their web site at this time, Dr. Hahari kindly e-mailed me a copy of the media notice they had run on November 5. The notice states that a burglar stole a laptop computer by smashing an office window to gain entry. Although the stolen laptop had password protection “with a complex numerical code,” patient files were not encrypted, and Dr. Hahari informed patients that “if the burglar was able to decode the password, then it would be possible to access your protected health information.”
The theft was immediately reported to the Columbia Police Department. Although the practice reported that they had no evidence of any access to or misuse of information on the laptop, they dutifully informed patients:
There are two sources of protected health information on the laptop computer. The first source of protected health information on the laptop is a computer program called “Customer Appointment Manager,” which was utilized for scheduling purposes. The Customer Appointment Manager program contains the individual patients’ name, date of birth, phone number, address, the name of the health insurance company, appointment date, and a brief description of the presenting concern. Importantly, the Customer Appointment Manager did not contain social security numbers, financial information (credit cards), or health insurance identification numbers.
The second source of protected health information is contained in each patient’s treatment records including therapy notes and psychological reports. This data typically includes the patient’s name, date of birth, report date, tests utilized, family background information, test results, diagnostic impressions, and recommendations for future services. At the conclusion of the report, there is a list of the billing codes utilized by health insurance payers. Similar to the Customer Appointment Manager, there is no information pertaining to financial information (credit cards) or health insurance identification numbers contained within the treatment records. It is noted that the only evaluations conducted by this office that may have contained social security numbers was for the S.C. Department of Disability Services prior to April 2007. Otherwise, for any other evaluations or therapy sessions prior to April 2007, and all services conducted in this office after April 2007, your social security number was not recorded.
Patients were given advice as to how to protect themselves, including examining bills or insurance statements (EOB’s) and immediately reporting any suspicious activity to Comprehensive Psychological Services and health insurers. They were also advised:
The following information is provided to assist you in the protection regarding financial identity. In the abundance of caution, despite not having any record of credit card information, insurance identification in the laptop files, and no listing of the social security numbers (with the possible exception of Department of Disability Service evaluations conducted prior to April 2007), it is recommended that you place a fraud alert on your credit file.
CPS also indicated that as part of their active commitment to improving security to ensure a similar incident doesn’t happen again, they were “developing a system that will use a higher standard of security to protect your confidentiality and personal information.”
They do not specify what the details of that of system will include, but it seems obvious that it will need to involve greater physical security and technical safeguards.
Thanks to Comprehensive Psychological Services LLC for providing the information used in this post.
“if the burglar was able to decode the password, then it would be possible to access your protected health information”
No. The burglar has their information if any of the following:
* He resets the Windows password
* Removes the hard drive and uses it with a different computer
* He attaches a new primary hard drive and uses that to start Windows
So, basically, if the “burglar” has *any* desire whatsoever to get the data, he will.
Yes, and your comment applies to all of these password-protected-only breaches. At least the provider isn’t doing what providers used to do – simply tell recipients that something was “password-protected” as if that gave good protection. As consumers become even more savvy, they will come to learn that there are various ways data can be accessed or retrieved from stolen devices.
I think HHS could be of more help to covered entities by providing some template language they could use to notify patients that would be more accurate but not too technical for the average patient or consumer. Maybe that’s something you and I could draft and even post on this site to help get the word out.
Yes. Absolutely.
Even providing guidelines for use, such as prohibiting the use of misleading, placating assurances like “it was password protected”, “we have no reason to believe your information has been used maliciously” or “your security is very important to us”. Okay, maybe not the last one, but you get the point.
Adding a “personal identity breach level” value may also be worthwhile, since the current metrics are solely focused on aggregate (e.g. not personal) impact.