From the notice on their web site:
March 21, 2018 – Clinical Pathology Laboratories Southeast, Inc. (“CPLSE”) has become aware of a data security incident that may have involved the personal and protected health information of its patients and their payment guarantors.
On September 20, 2017, a laptop issued to a CPLSE employee was stolen. The laptop may have contained personal and protected health information belonging to CPLSE patients and their payment guarantors. Upon learning of the incident, CPLSE disabled the stolen laptop’s access to its computer network and reported the laptop theft to the local police. CPLSE also conducted an investigation to determine what information may have been stored on the laptop. The information stored on the laptop may have included names, addresses, Social Security numbers, drivers’ license or government identification numbers, medical record identification numbers, and/or medical treatment information.
CPLSE takes the security of information belonging to its patients and their payment guarantors very seriously and has taken steps to prevent a similar event from occurring in the future. These steps include increasing the security of the CPLSE systems and networks through the use of encryption technology, updating relevant policies and procedures, and retraining staff.
Notification letters have been sent to the potentially impacted individuals which include information about the incident and steps that those individuals can take to monitor and protect their personal information. CPLSE has established a toll-free call center to answer questions about the incident and to address related concerns. The call center is available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Time and can be reached at 1-866-245-4291. In addition, out of an abundance of caution, CPLSE is offering potentially impacted individuals credit monitoring and identity theft protection services through ID Experts® at no cost.
[…]
For the full statement, see their site. Notification of this incident was also made to the Montana Attorney General’s Office today.
Update: shortly after this post appeared, their notice was given a different url on their site. The link to it has now been updated. It can also be found on the Montana Attorney General’s site.
Why did it take so long to notify patients?