A Massachusetts business associate has reported a breach of the electronic protected health information (ePHI) of 2,088 individuals. A laptop computer of an employee was stolen on August 23, 2018, and has been found to contain patients’ ePHI
RSC Insurance Brokerage, dba Re-Solutions, sent breach notifications to affected healthcare providers about the security breach on January 22, 2019, 5 months after the business associate learned of the laptop theft.
RSC explained in the breach notice sent to the California Attorney General that a third-party cyber security company was hired to determine what files had been saved on the laptop and whether ePHI had been exposed.
The business associate reported the theft to law enforcement and changed the employee’s credentials so that the thieves would not be able to use the laptop to access the RSC’s systems. However, since the laptop was not encrypted, only password protected, files on the device could potentially have been accessed.
There was no evidence found to suggest data on the device had been accessed or misused. However, since data access could not be ruled out, RSC has offered free membership to Experian’s IdentityWorks identity theft protection service to affected individuals for 12 months. RSC stated that security controls are being enhanced to improve portable electronic device security.
The Department of Health and Human Services’ Office for Civil Rights (OCR) was informed of the breach on March 1, 2019.
Arizona Medicaid Agency Reports Exposure of PHI
The Arizona Health Care Cost Containment System (AHCCCS), Arizona’s Medicaid agency, has discovered a programming error has affected a mailing of IRS 1095-B forms. IRS 1095-B forms confirm that a person has been signed up to a particular health plan.
AHCCCS sent the forms to 1.87 million members at the beginning of 2019 but found out that 3,146 mailings were sent to the wrong addresses. The mailings did not contain any Social Security number, only names and birth dates.
AHCCCS is mailing all affected individuals to inform them of the privacy breach and has resent their IRS 1095-B forms.