HIPAA breach puts blame on business associate

2,700 patients affected
By Erin McCann
10:59 AM
Share
Laptop data breach
A New York healthcare provider is notifying its patients that their medical data has been compromised after one of its business associates reported the theft of an employee-owned laptop and unencrypted smartphone. 
 
The New York-based Senior Health Partners, part of the Healthfirst health plan, has mailed out breach notification letters to 2,700 of its members after discovering that a laptop and mobile phone belonging to a registered nurse employed by its business associates were reported stolen. 
 
 
Officials say the nurse's laptop, which was stolen back on Nov. 26, was encrypted, but the encryption key was in the laptop bag that was taken. The mobile phone stolen was neither encrypted nor password-protected. The nurse was employed by Senior Health Partners' business associated with Premier Home Health, which notified the long-term care provider on Dec. 10. Affected patients were mailed notification letters Jan. 30. 
 
An investigation into the theft found that the privately-owned laptop included a "potentially accessible" email, containing patient names, demographics, Social Security numbers, Medicaid IDs, dates of birth, clinical diagnoses and treatment information and health insurance claim numbers.
 
 
"Senior Health Partners sincerely regrets that this incident occurred," read a Jan. 30 press statement. "It takes the privacy and security of members' health information very seriously and expects its vendors to do the same. SHP values the trust its members have placed in it as their health plan, and it is SHP's priority to reassure its members that it is taking steps to ensure its members' information is protected."
 
Asked what Senior Health Partners' policy was around encryption and using privately owned devices for work purposes, Healthcare IT News did not receive a response before publication time. 
 
To date, nearly 42 million individuals have had their protected health information compromised in a reportable HIPAA privacy or security breach, according to data from the Department of Health and Human Services.