The protected health information (PHI) of almost 8,000 client of Brevard Physician Associates may have been accessed following the theft of an office computer in a recent break in.
The burglary happened on September 4, 2017 – Labor Day – when the offices were shut for the holiday. Early that morning individuals illegally accessed the premises and obtained three office computers.
The local police responded to the incident after the burglary set off the alarm system although not in time to catch and arrest the individuals. A forensic examination of the office was carried out, although so far the burglars responsible have not been caught and the computers not recovered.
Two of the office computers did not hold any protected health information, but the third computer had five audit files saved to the hard drive on that device. The data in those audit files was restricted, although there was sufficient information to prompt the issuing of breach notifications to patients.
Brevard Physician Associates acted speedily and sent out breach notification letters to affected patients well within the timeframe permitted by the HIPAA Breach Notification Rule. Overall, 7,976 patients were possibly impacted and had the following private data accessed: Names, names of insurance providers, CPT codes for the services supplied, and the amounts charged for services.
The HIPAA Security Rule does not command the use of encryption on files, although if steps are taken not to encrypt data, an alternative, equivalent security measure must be used to safeguard the confidentiality, integrity, and availability of PHI. While these particular computers were not encrypted, they were protected with passwords and strong passwords had been put in place. Brevard Physician Associates also reports that these computers can be remotely wiped of all data, and that security control has been triggered. If the devices are logged on to the Internet, data will be remotely wiped of all data.
Brevard Physician Associates believes the danger– and future danger – of identity theft and fraud due to the incident is minimal. Even though addresses, dates of birth, telephone numbers, Social Security numbers, financial data and insurance ID numbers were not accessed and could not be seen by the thieves, steps have been taken to offer all affected patients 12 months of complimentary credit monitoring services.
The quick response from Brevard Physician Associates is to be commended. The speedy breach response, prompt issuing of notifications and for the steps taken to lessen risk greatly benefited their clients.