Laptop Theft Potentially Compromised the PHI of 43,000 Patients of Coplin Health Systems

The Coplin Health Systems based in West Virginia had a potential PHI breach impacting 43,000 patients. The cause of the breach is an unencrypted laptop computer stolen from an employee’s vehicle. Coplin Health knew about the theft on November 2, 2017. The incident was reported to law enforcement immediately. They investigated the theft but the laptop computer was not recovered.

Coplin Health believed that the laptop did not contain the protected health information of patients. But it is not 100% certain and so there’s still the possibility of data exposure. The laptop had security protection set up in it to make sure that patients’ privacy is maintained in case the laptop is stolen. The laptop could be utilized to gain patient data access, but the thief would need a password before he can access the resources.

As soon as Coplin Health’s IT department knew about the breach, it immediately took action by changing the employee’s login details so that the laptop cannot be used to access Coplin Health’s systems. From the time the gadget was stolen, no one has accessed Coplin Health’s systems using the laptop.

It is quite unlikely that the laptop has patient data stored in it. But if it did, the types of information contained in the device would include patient names, birth dates, addresses, Social Security numbers, financial and health information. As a HIPAA-covered entity, Coplin Health notified the 43,000 patients whose PHI was exposed.

Coplin Health also took corrective steps as a response to the incident. Its security controls were reviewed to prevent similar occurrences in the future. There will be stricter monitoring of employees to make sure they follow the company’s policies and procedures. Violating employees will receive disciplinary action.

Although encryption is not mandatory, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to use encryption if a risk assessment deems it necessary. When encryption is not implemented, the covered entity must use alternative measures. Coplin Health did not say yet if they will implement encryption in the future.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at