Alere Home Monitoring notifies 100,000 patients after laptop stolen from employee's car
More than 100,000 patients who take drugs to prevent blood clots are at risk of identity theft. An employee of Alere Home Monitoring, Inc. had the patient data on a laptop that was stolen. The computer file contained the names, Social Security numbers, addresses and diagnoses of patients who take anticoagulant drugs such as warfarin or Coumadin.
The company became aware of the data breach around Oct. 1, said Doug Guarino, director of corporate relations for Alere, Inc.
Read more on news-press.com.
So far, I haven’t found any statement on Alere’s web site nor any substitute notice in the media. With my usual “let’s keep digging” attitude, though, I did find where someone posted the contents of the notification they had received. I do not know if this is the complete letter, but here’s what I found:
We are writing to inform you of an incident that may have involved your personal information that occurred on September 23, 2012. A car belonging to an Alere Home Monitoring employee was burglarized. One of the items stolen from the car was the employee’s laptop. While the laptop was password protected, it did contain a file with your personal health information. Some of the information included in this file was your name, address, date of birth, Social Security number, and diagnosis. A police report was filed, but so far the laptop has not been recovered.
Please note that we have no evidence that any of your information has been disclosed or misused as a result of this incident.
To help safeguard you from misuse of your personal information, we have arranged for you to receive identity protection from Experian Security Assistance at no cost to you. The Experian Security Assistance service will be valid for one (1) year from the date you register.
You must register with Experian Security Assistance to receive this complimentary identity protection service.
*Activate ProtectMyID Now in Three Easy Steps.
1. ENSURE: That you enroll by January 31, 2013.
2. VISIT the ProtectMyID Web Site: www.protectmyid.com/redeem or call 1-866-578-5412 to enroll.
3. PROVIDE Your Activation Code: E****TC**. (my deletion of code)
Once your ProtectMyID membership is activated, your credit report will be monitored daily for 50 leading indicators of identity theft. You’ll receive timely Credit Alerts from ProtectMyId on any key changes in your credit report which could include new inquiries, new credit accounts, medical collections and changes to public records.
We sincerely regret that this occurred and want to assure you that we have implemented steps to prevent it from happening again. If you have further questions or concerns about this incident, you can contact us at 1-866-578-5412
HIPAA Privacy Officer, Alere Home Monitoring
The recipient’s comment was spot on:
Yes, I definitely will be calling them tomorrow since I canceled my Alere INR Medicare scheme this past June. What was my information doing in a laptop. Why wasn’t it purged? Why was the employee carrying around a laptop with all that information on it? Geez…
To her questions, I would add:
1. Why weren’t the data encrypted?
2. Why was a laptop left in an unattended vehicle?
3. Was there a substitute media notice? If so, where was it published?
4. Why is there no prominently displayed notice on Alere’s home page?
5. Will HHS actually fine entities for leaving unencrypted data in cars?
Other people who received the letter were confused because they had never done business with Alere. A forum member responded:
This is how Alere got hold of the records. Anyone who dealt with QAS, Inverness Medical or Hemosense, your records are with Alere.
I cannot confirm the accuracy of that explanation, but Alere certainly should address it. We’ve seen this kind of problem before. All too often, people don’t know why or how an entity obtained their data. Entities would be well advised to include some statement in their notification letter if they had bought out another firm or entity, etc. If they don’t, people may suspect the letter is just a ruse to get their personal information and may ignore the advice to protect themselves.
I’ve sent an email inquiry to Alere’s corporate relations asking for a statement and some answers. I’ll update this entry when I get a response.