Robert E. Soper, M.D. is notifying current and former patients:
During a visit to San Francisco On June 27 my car was broken into and my computer stolen, along with camera, suitcases, and other equipment. The computer was an older office desktop I planned to give to my brother. It was hidden in the trunk.
The computer contained patient names, dates of birth, some phone numbers, and clinical notes, and e-mails. Addresses, social security numbers, and insurance information were not stored on the stolen computer.
Fortunately, the clinical notes were protected by two passwords, and were maintained in a format unique to the software used to prepare them. The software program itself was not on the computer, making the data almost impossible to decipher.
E-mail information was password protected, and generally contained laboratory reports, some reports from outside health care providers, and e-mails sent to the office by our patients.
So to be clear, he was transporting a computer with PHI and left it in the trunk of his unattended vehicle at some point? And he was planning to give the computer to his brother? With all that PHI on it? Why wasn’t the drive wiped before he put it in the car? Was he expecting his brother to wipe the drive, or….?
[…]
The good news is that if the computer goes on line, Apple Computer will identify the computer, erase this disk, put up a message that the computer is stolen, and notify me. That service is very beneficial if anyone connects that computer to the internet. So far, I have heard nothing.
Well, that’s good, but this whole thing could have been avoided by wiping the computer first and/or not leaving it in an unattended vehicle.
And oh, does it make a difference to you in evaluating this breach if you know that Dr. Soper is a psychiatrist?
You can read the full notification on the California Attorney General’s site.
This reminds me of data camouflage… In fact it is data camouflage, by at least what he says about “only the software being able to read the data”. Not encryption.