The theft of a desktop computer has resultd in a limited amount of protected health information (PHI) of almost 8,000 patients of Brevard Physician Associates being exposed.
The burglary happened on September 4, 2017 – Labor Day – when the offices were closed for business. In the early morning, individuals broke in and stole three desktop computers from the premises.
The burglary activated the alarm system and police attended the scene immediately, although the criminals has already escaped. A forensic analysis of the office was completed. Despite this the individuals responsible have still not been located and the computers not recovered.
Two of the desktop computers did not store any protected health information, but the third computer had five audit files stored on its hard drive. The information in those audit files was limited, although there was enough data to warrant the issuing of breach alerts to patients.
Brevard Physician Associates moved speedily to send out breach notification letters to affected patients well within the timeframe permitted by the HIPAA Breach Notification Rule. In total, 7,976 subscribers were potentially impacted and had the following details exposed: Names, names of insurance providers, CPT codes for the services provided, and the amounts charged for services given.
The HIPAA Security Rule does not make the use of encryption mandatory, although if the decision is taken not to employ data encryption, an alternative, equivalent control must be used in its place to secure the confidentiality, integrity, and availability of PHI. While the desktop computers were not encrypted, they were safeguarded with strong passwords. Brevard Physician Associates also claims that the devices can be remotely wiped of all data contained, and that safeguard has been used. Once the devices are online on the Internet, data will be remotely destroyed.
Brevard Physician Associates claims the danger of identity theft and fraud due to of the incident is low. Even though addresses, dates of birth, telephone numbers, Social Security numbers, financial information and insurance ID numbers were not accessed and could not be viewed by the thieves, steps have been taken to offer all affected patients 12 months of free credit monitoring services.
Brevard Physician Associates has provided the perfect example as to how a rapid breach response should be operated, prompt issuing of notifications, and for the steps taken to minimize any danger to clients.