CardioNet reports two breaches involving laptop theft (?) and other breaches newly revealed on HHS's breach tool

Sometimes it takes a while for me to track down details on a breach after seeing it mentioned on HHS’s breach tool.  And sometimes, it’s just too late. A case in point is an entry for Flex Physical Therapy in Washington, where apparently 3,100 patients were affected by a computer theft on December 30, 2011.  But by the time HHS posted the breach on February 24, the substitute notice Flex had placed in the media had already expired.  All that remains was a clause indicating it was an office burglary that snared three computers, one of which contained patient data.

Here are some other breaches recently posted to HHS’s breach tool that I didn’t know about and for which I can find no documentation or substitute notice on the Internet at this time:

  • Delta Dental, CA,,”11,646″, 12/22/2011 – 12/23/2011, Unauthorized Access/Disclosure,Paper
  • Department of Medical Assistance Services, VA,”ACS, Affiliated Computer Services, Inc.“, “1,444”, 11/02/2011 – 11/16/2011, Unauthorized Access/Disclosure,Paper
  • Medco Health Solutions, Inc., NJ, “1,287”, 11/30/2011, Unauthorized Access/Disclosure,Paper
  • Indiana Internal Medicine Consultants,IN, “20,000”, 2/11/2012, Theft,Laptop
  • CardioNet, Inc,PA,”1,300″, 11/10/2011,Theft, Laptop
  • CardioNet, Inc,PA, 728, 12/29/2011,Theft,Laptop

Also newly revealed was a breach at Georgetown University Hospital, but they kindly sent me the information, so they are not included in this list of our ignorance.

CardioNet did not respond to an inquiry asking about the two separate incidents that seem to have involved stolen laptops with unencrypted PHI.   At the present time, absent a response from them, these events will get coded as stolen laptops in databases, although I would prefer to get confirmation from them in light of my concerns about the accuracy of HHS’s breach tool.    I think those of us who track healthcare sector breaches also want to know whether the laptops were supposed to have been encrypted but weren’t, or whether CardioNet had no policy in place requiring encryption of all devices.  I imagine HHS will get into those issues in their investigation and I’ll eventually get some answers when I obtain information from HHS under Freedom of Information, but it would be nice to have information sooner rather than later.

About the author: Dissent