In January 2011, this site noted that Southern Perioperative Services in Alabama had reported a breach to HHS that occurred in November 2010 and affected 2,000 patients. Other than HHS’s coding of the incident as
“Theft, Other Portable Electronic Device, Other,” no additional details were available.
Yesterday, HHS updated its entry for the breach to indicate that it had closed its investigation. Its summary of the incident reads:
A bag containing a compact disk – read only memory (CD-ROM) was stolen from the vehicle of a physician associated with the covered entity (CE). The CD-ROM involved in the breach contained names, dates of birth, social security numbers, medical histories, and the treatment information of approximately 2,046 individuals. Following the breach, the CE filed a police report and provided breach notification to affected individuals, HHS, and the media. The CE sanctioned and retrained the physician whose bag was stolen and implemented organization wide improvements to its compliance with the Privacy and Security Rules. As a result of OCR’s investigation the covered entity posted substitute notification of the breach in the local paper and confirmed that corrective actions steps were taken.
So now we know.