DaVita notifies dialysis patients of breach

Adam Greenberg reports that DaVita is notifying approximately 11,500 dialysis patients of a breach that occurred when a laptop with unencrypted PHI was stolen from an employee’s car.

The notice on DaVita’s site, dated Nov. 5 and linked from its home page, reads:

DaVita®, a division of DaVita HealthCare Partners Inc., reported today that on Sept. 6, 2013, a laptop was stolen from a teammate’s vehicle. Although DaVita maintains a company-wide program and policy requiring encryption of laptop computers, DaVita discovered that the encryption technology on this particular device had been unintentionally deactivated.

DaVita has determined that personal information belonging to approximately 11,500 patients was on the laptop at the time of the theft. In most cases, this information included details such as name, clinical diagnoses (e.g., end stage renal disease), insurance carrier name, claims payment data and dialysis treatment information. For approximately 375 patients, the information stored on the laptop included Social Security numbers. Personally identifiable information for a very small number of DaVita teammates was also stored on the laptop. All affected individuals will receive letters with additional information.

DaVita takes its responsibility to protect its patients’ information very seriously and maintains extensive security and privacy programs. The laptop in question was password-protected and the theft was reported to law enforcement. DaVita has no evidence that the data on the laptop has been accessed or used. Nonetheless, out of an abundance of caution and to ensure that patients are protected, DaVita is offering affected patients one year of credit-protection services, including credit monitoring, identity recovery assistance and identity theft insurance through idexperts® at no charge.

“We sincerely apologize for any inconvenience or concern this incident may cause our patients,” said DaVita spokesperson Skip Thurman. “DaVita has reviewed its encryption practices and implemented additional safeguards to protect against any future instances of non-compliance with our encryption policies and procedures.”

Patients with questions or concerns regarding this incident or those seeking assistance with establishing their credit monitoring services can call 1-866-797-3792 toll free Monday through Friday, 9:00 a.m. to 9:00 p.m.EST.

DaVita and DaVita HealthCare Partners are trademarks or registered trademarks of DaVita HealthCare Partners Inc.

If DaVita’s name rings a bell, it may be because I reported three other breaches they experienced in 2008 and 2009:

  • In March 2008, they reported that a laptop stolen from an employee’s car contained unencrypted patient information that included insurance filings for dialysis services for current and former patients, including name, social security number, medical insurance coverage information, and/or other personal and health related information.
  • In December 2008, DVA Renal Healthcare reported that unencrypted patient information was involved in a burglary at a Florida facility and that the “documents may have contained your name, social security number, medical insurance coverage information, and/or other personal and health-related information.”
  • In August 2009, they reported that Renal Treatment Centers Southeast – LP, an affiliate of DaVita, suffered a data loss when a DaVita facility in Dallas was burglarized and multiple desktop computers were stolen. The stolen hard drives contained dialysis insurance documents which contained patients’ names, addresses, SSN, insurance numbers, treatment records, progress notes, and other personal or medical information.

Four incidents of theft involving unencrypted patient information? Given that we don’t find out about most breaches, this may not be an unusual rate for a 5-year period, and if they went four years without a reportable breach, then that may reflect progress. It’s also commendable that this time, unlike past breaches, they offered affected patients free credit-monitoring services.   But four breaches that all could have been avoided if encryption had been properly deployed and verified on a regular basis?  How…. frustrating.

About the author: Dissent