Protected health information at risk; Ebara Technologies notifies participants of computer theft (update 1)
Ebara Technologies, Inc. Employee Medical Benefit Plan has recently notified the New Hampshire Attorney General’s Office that a break-in at one of their vendors resulted in the theft of computers that may have contained protected health information of former and current plan participants.
From the description of the incident, it appears that the unnamed vendor was Colt Express Outsourcing Services, Inc., who made notification to CNet.Â In Ebara’s case, participants’ personal information included names, addresses, Social Security numbers, and/or flexible spending claims reimbursement information of plan participants and their dependents.
Somewhat puzzling, the notification letter says:
At this time, we do not know whether the protected health information of any Plan participants or dependents was actually taken.
Which raises the question, why don’t they know whether the data were on the stolen computers or not? And if the data were on the stolen computers, were they encrypted at the time of theft or not?Â And were they supposed to be encrypted at rest?
Is Ebara saying that they have not been told by Colt whether their files were on the stolen hardware? Given the details in Colt’s notification to CNet, this is somewhat surprising and bears further scrutiny.
Ebara has not offered plan participants free credit monitoring.
Update 1: A spokesperson for Ebara clarified their report and confirmed that Colt Express Outsourcing Services, Inc. was the source of the breach. Ebara plan participants’ data was on the stolen computer, but according to the spokesperson, because the owner of Colt Express Outsourcing Services, Inc. informed them by phone that the computer was “password-protected,” they wrote “may have” contained PHI in their notification to the NH AG and to plan participants. That type of notification is somewhat misleading, in my opinion, as a computer being “password-protected” may offer little obstacle to accessing any unencrypted data on the equipment, and their letter created the impression that no data may have been on the computer, when it was.