Update: This incident was reported to HHS on January 15 as affecting 28,209 patients.
Montana Public Radio reports that New West Health Services is notifying 25,000 members after a laptop with their PHI was stolen. Here’s the statement that was posted on New West Medicare’s site today, with one interruption by me for a short, but tasteful, rant:
New West Health Services d/b/a New West Medicare has unfortunately learned of an incident involving a company laptop computer that was stolen from an off-site location. The computer contained electronic files with personal information from past and present New West customers. The computer was password protected, and there is no evidence to suggest that the information stored on the laptop was the target of the theft or that any customer information has been accessed or misused.
Once we learned of the theft, New West took immediate action including initiating an internal investigation and notifying law enforcement. We also retained Navigant, a leading national computer forensic firm, to assist us in our investigation.
Based on the forensic investigation, New West believes that the laptop contained customers’ names, addresses and, in certain instances, driver’s license numbers and Social Security numbers or Medicare claim numbers. The laptop may have also contained limited information related to some individuals’ payment of Medicare premiums, including electronic funds transfer information (bank account number, account holder name, account type and bank routing number) or credit card information (card holder name, credit card account number, expiration date and CVV (“Card Verification Value”) number). Additionally, the laptop may have contained some customers’ health information, including dates of birth, medical history and condition, diagnosis and/or prescription information.
To reiterate, we have no indication that the data has been accessed or used inappropriately. However, out of an abundance of caution, New West is proactively notifying impacted members so they can take steps to safeguard their personal information going forward.
Okay, they should not be allowed to claim that they are (only) notifying out of an “abundance of caution,” when they are required by law to notify.
We regret any concern this may cause, and are offering one year of complimentary credit monitoring and identity protection services to those individuals whose Social Security numbers were involved.
The privacy and security of members’ information is a top priority. Moving forward, we are committed to taking steps to prevent this type of incident from occurring in the future. These steps include installing additional security on all company laptops, enhancing education for our employees, and strengthening our data security policies and practices.
If you have any questions or need additional information, you may call the call center we have established at 877-802-1399, Monday-Friday, 7 a.m. – 7 p.m. MST. Again, we sincerely apologize for any frustration or concern this incident may have caused.
Sincerely,
Angela E. Huschka
Chief Executive Office and Chief Financial Officer
New West Health Services d/b/a New West Medicare
So by minimizing the risks of the breach and reassuring members that they’re only notifying out of an “abundance of caution,” are they dissuading people from taking steps to protect themselves from ID theft or medical ID theft?