From their press release, dated June 3:
HealthCare Partners notified 15,727 patients of a breach of unsecured personal patient protected health information after discovering, on Monday, April 18, 2011, the theft of nineteen new computers from the medical group’s offices at 675 Arroyo Parkway in Pasadena and at 2600 Redondo Avenue in Long Beach. HealthCare Partners immediately notified the local police departments at both locations.
Some of HealthCare Partners’ patients’ medical information was stored on those computers, including names, addresses, birth dates, medical record numbers, health plan ID numbers, and treating physician names, as well as information about diagnoses, treatment plans, progress notes, prescriptions, referrals, and authorizations. The thieves also stole a safe from the Redondo Avenue office containing 16 checks written by patients to HealthCare Partners and credit card receipts for 60 patients. The credit card receipts did not include full credit card numbers.
HealthCare Partners believes that the risk of harm to these patients is low because the police investigation and HealthCare Partners’ investigation of the incident indicate that the items were stolen for their monetary value and not for the information on them. Nonetheless, in an abundance of caution, the notice HealthCare Partners has sent to the affected patients includes detailed information about identity theft protection, including precautions to minimize the risk of inappropriate use of the information.
HealthCare Partners is also offering an identity protection service from an outside vendor at no cost. The service, which includes $1,000,000 identity theft insurance coverage and fraud resolution services, will monitor credit and provide credit alerts by telephone. It also includes special services to detect fraud against children. The identity protection service will be valid for one (1) year from the date patients register.
HealthCare Partners, in conjunction with local law enforcement, is continuing to diligently investigate this crime and to pursue recovery of the stolen items. HealthCare Partners implements comprehensive security measures and policies to prevent the loss of private data including encrypting laptop disk drives, Internet firewalls, and secure data transmissions to partners. HealthCare Partners will take additional steps to protect the privacy and security of its patients’ health information against physical theft as occurred in this incident.
HealthCare Partners has trained staff available for patients to call with any questions related to the data breach. Patients may call 877.427.9288, Monday-Friday, from 8 am to 5 pm Pacific Time, with questions about this incident. In addition, patients may visit the HealthCare Partners website at www.HealthCarePartners.com for further information.
“HealthCare Partners understands the importance of safeguarding our patients’ personal information and takes that responsibility very seriously,” said Robert Margolis, MD, HealthCare Partners Chairman and CEO. “We will do all we can to work with our patients whose personal information may have been compromised to help minimize any potential impact of this situation on them. We regret that this incident has occurred, and we are committed to preventing such occurrences in the future. We appreciate the support and understanding our patients have shown at this time.”
Comment: I really, really hate these self-serving risk assessment statements and “abundance of caution” claims entities make in breach notices. Regardless of how low they think the risk is, they could be wrong. Statements such as the ones made in this press release are self-serving and may decrease the individual’s likelihood of taking steps to protect themselves. Could entities be right in hypothesizing that the theft is opportunistic for the value of hardware? Sure. But we’ve already seen cases in which such statements were made and people did access and misuse the data. Just tell people what happened and what they can do to protect themselves, please.