It was bound to happen sooner or later. Today I received a letter from a health care provider notifying me that my personal data was on a system that has been stolen. The notification letter outlined:
  • date of the theft (Dec 29th or 30th)
  • the nature of the theft - someone broke in and physically stole two laptop computers
  • police case number
  • outline of physical security currently employed
  • highlighted that the laptops were password protected
  • it was unclear if the data file had any additional password protection - it refers to the data as password protected but it reads as though they are referring only to the operating system's password
  • the information on the laptops contained name, DOB, SSN, medical record number, diagnosis, maiden name, procedure codes, religion, occupation, mother's maiden name and father's name and more that weren't deemed important enough to make the list but can be obtained by calling them
  • a list of credit agencies to check with to monitor fraudulent activity
  • information on how to protect your social security number
The notification suggests that the theft was motivated by someone wanting to sell the laptops rather than get their hands on the data they contained. I hope that is the case but there needs to be more attention paid to protecting data at rest - especially if it can wind up on laptop or desktop systems that can be carried out the door. Unfortunately, HIPAA only mandates encryption for information travelling over an open network so it won't stem the flow of notification letters for situations like this.