Social Security numbers, health information for 8,000 patients compromised
Westmoreland, Tenn.-based HOPE Family Health is notifying 8,000 patients of a data breach after an unencrypted company laptop used by a finance department employee was stolen.
On Aug. 4, officials learned the laptop was stolen from the employee's home during a series of neighborhood burglaries. Reportedly, following a police investigation, several individuals were arrested and charged with possible involvement, officials say.
The laptop contained patient names, Social Security number, proprietary financial records, billings records, patient account information, dates of birth and addresses.
[See also: Ready or not: HIPAA gets tougher today.]
As a result of the data breach, HOPE Family Health officials have now put all digital private patient information on an encrypted server instead of individual computers. Additionally, all employees are required to attend information management training to ensure that they are aware of policies regarding safely handling patient data.
Its new eClinicalWorks electronic health record system has also been moved to an encrypted cloud-based server, according to officials.
"We understand that this event may cause worry and inconvenience in your life, and for that we are deeply sorry," wrote Joey Forman, HOPE Family Health chief information officer, in a Sept. 2 notice to patients. "We sincerely regret this incident occurred on our watch and commit to minimizing the risk of anything similar taking place in the future."
Since the final breach notification rule was issued in August 2009, Tennessee has seen 24 big -- involving 500 or more individuals -- HIPAA privacy and security breaches compromising the protected health information of some 1,141,882 people, according to data from the Department of Health and Human Services.
Back in 2009, in one of the biggest HIPAA breaches ever reported, Blue Cross Blue Shield of Tennessee reported stolen 57 unencrypted computer hard drives from one of the company’s leased facilities. The hard drives contained health information, insurance data and Social Security numbers for 1,023,209 members. BCBST paid over $6 million for additional data encryption, and spent nearly $17 million for protection, investigation and member notification. The $1.5 million settlement paid to the HHS was the first enforcement action resulting from HITECH Breach Notification Rule.