Possible PHI Exposure Following Theft of Unencrypted Laptop from Virginia Health Practice

by | Oct 26, 2017

An unencrypted laptop device has been stolen from the automobile of an staff worker of Bassett Family Practice in Virginia, possible leading to the exposure of the protected health information of the Practice’s clients.

It is believed that the device, a laptop computer, was stolen during the weekend of 12/13 August. Patients were advised of the possible exposure of their private health data on October 13, 2017. The two-month delay in sending notifications was due to the time taken to recover the missing files and information from backups and to analyse those files to see which clients had been placed at risk and the types of PHI stored on the laptop.

The computer was found to store some details about patients’ appointments with the practice, along with their names, date of birth, account number and their insurance provider details. The laptop also held information the referred to account balances. No Social Security numbers or credit or debit card details were stored on the laptop device.

It is not company policy to store any protected health details on laptop computers. The files were transferred to the device as Bassett Family Practice was moving to a new IT infrastructure. The Bassett Practice was also in the process of encrypting all of its laptop computers.

It is not mandatory under HIPAA that data encryption should be used to secure stored data, even when PHI is held on portable devices that are taken from healthcare facilities. Data encryption must be considered, and if the decision is taken not to encrypt data, the decision, and reasons behind it, must be recored. An alternate, equivalent measure must then be used as an alternative means of security to encryption.

Bassett Family Practice had implemented a system that would issue a notification if any data access happened, and no notification has been received. Should it happen that the thief does attempt to access private personal data stored on the device, the practice can remotely wipe the information on the device. The danger of patients’ PHI being viewed and misused is therefore believed to be minimal in this case.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy