Brevard Physician Associates had a recent incident of burglary which resulted in the potential exposure of limited protected health information of about 8,000 patients. On the morning of September 4, 2017, thieves broke into the Brevard Physician Associates office and stole three desktop computers. The police responded immediately to the triggered burglar alarm but they were not able to catch the thieves. Investigators of the incident up to this time have not captured the criminals nor recovered the computers.
According to Brevard Physician Associates, there are no PHI files stored in two of the computers. But one computer had five audit files with limited information, which warranted the issuance of breach notifications to affected patients. Possibly compromised information included the patients’ names, insurance providers, CPT codes for services and the bill of services. The healthcare provider immediately sent breach notification letters to 7,976 patients in compliance with the required timeframe of HIPAA Breach Notification Rule.
There’s no strict provision in the HIPAA Security Rule that say computers must use encrypted files. So, even if the computers did not use encrypted files, it is protected with strong passwords. In addition, the computers can be remotely accessed to erase all data when necessary as a safety precaution. As soon as the device connects to the internet, all data will be remotely wiped out.
The potential risk of identity theft and fraud in this incident is very minimal if any. That is because the information stored in the computer were not exposed and the thieves for sure cannot access the information. Nevertheless, Brevard Physician Associates still offered to all affected patients one year of complimentary credit monitoring services.
Brevard Physican Associates was able to handle the data breach effectively. They were able to secure the health information data of patients stored in the computer, and they were able to issue the breach notifications to patients in time as per HIPAA Breach Notification Rule.