The protected health information of some patients and payment guarantors were compromised because the unencrypted laptop computer that Clinical Pathology Laboratories Southeast Inc (CPLSE) issued to an employee was stolen. CPLSE took immediate action so that the stolen laptop won’t be be able to connect to its network. CPLSE also informed law enforcement about the theft as soon as possible. However, there is a possibility that unauthorized individuals already viewed the protected health information stored in the laptop.
Investigators went to work to find out what types of information were contained in the stolen laptop. Their findings indicated that the following PHI were likely exposed: names, addresses, govenment ID numbers, Social Security numbers, driver’s license numbers, medical treatment details and medical record numbers.
CPLSE already notified the patients impacted by the breach. The patients received some recommendation on how to protect themselves from data misuse. The were also offered free credit monitoring and identity theft protection services.
In addition, CPLSE had to do certain things to keep similar incidents from happening again. Staff received HIPAA compliance training on data security. The policies and procedures were reviewed and updated as necessary. Portable devices with ePHI were encrypted for extra protection.
The theft occurred on September 20, 2017. CPLSE uploaded the substitute breach notice to their website on March 21, 2018. It took 6 months for CPLSE to announce the incident, which is a violation of the HIPAA breach notification rule that require notification issuance within 60 days from the discovery of a breach. CPLSE did not give any reasons or explanation for the delay in notification.
The Department of Health and Human Services’ Office for Civil Rights has not yet published the incident on their breach portal. CPLSE has not yet confirmed the number of individuals affected individuals by the data breach.