A US healthcare provider has been forced to notify 43,000 patients of a potential data breach due to the theft of a laptop from an employee’s car.

Officials at West Virginia-based Coplin Health Systems discovered the theft on November 2. And while the organisation equipped the laptop with security tools and was password-protected, it failed to encrypt data stored on the hard drive.

Data on the laptop included patient names, Social Security numbers, financial information, addresses, dates of birth and medical data.

Upon discovering the theft, officials disabled the computer’s access to the organisation’s network and have continuously monitored systems for unauthorised access. Law enforcement and the US Department of Health and Human Services (HHS) were notified of the theft.

Coplin officials are continuing to work with law enforcement about the incident.

“To date, no one has attempted to use the stolen laptop to access any of our IT networks. Nor have we received any information from law enforcement authorities or from any patients that would suggest that any person’s personal information has been accessed or used improperly,” wrote Coplin Health Systems CEO Derek Snyder.

The health system is reviewing internal policies to ensure adherence by employees. It is also reviewing security measures to find vulnerabilities and will enforce disciplinary actions on employees who violate those standards, officials said.

The breach is a serious reminder that encryption should be mandatory for all data, as threats are not just the result of cybercriminals. 

In March 2016, North Memorial Health Care of Minnesota was hit with a $1.55 million settlement with HHS stemming from the 2011 theft of an unencrypted laptop from a business associate’s workforce member’s vehicle. North Memorial failed HIPAA on several accounts, including failure to have a compliant business associate agreement in place.

Puerto Rico-based MAPFRE Life Insurance settled with HHS in January 2017 for a September 2011 theft of an unencrypted USB drive containing the data of 2209 patients from its IT department. Officials said MAPFRE didn’t have necessary safeguards in place.

A version of this article was originally published in the US edition of Healthcare IT News.



White papers