Self Regional Healthcare has posted a notice on its web site concerning a data security incident:
On May 27, 2014, Self Regional employees discovered that two unauthorized individuals broke into one of its facilities and stole a laptop belonging to SRH. The theft occurred on Sunday, May 25, 2014. Upon learning of the burglary, SRH contacted law enforcement and worked closely with them. Both intruders have been arrested. The thief responsible for stealing the laptop confessed to the crime and stated that he destroyed and disposed of the laptop in a lake. The police sent divers in the water, but SRH and police have been unable to recover the stolen laptop to date.
“Self Regional takes the security of our patients’ personal information very seriously,” said SRH President and CEO Jim Pfeiffer. “We retained third-party computer forensic experts to assist with the investigation of this incident, even though the intruders admitted their actions to law enforcement and claimed never to have accessed the laptop. Because we do not have the laptop in our possession, Self Regional must assume there is a possibility that someone may have accessed certain patients’ protected health information,” he said. The protected health information that could have been accessed includes patients’ names, Social Security numbers, driver’s license numbers, treating physician names, insurance policy numbers, patient account numbers, service dates, diagnosis/procedure information, payment card information, financial account information, and possibly their addresses.
“In an abundance of caution, Self Regional is providing written notice of this incident to affected individuals, to the U.S. Department of Health and Human Services, as well as to certain state regulators,” said Craig White, vice president, corporate compliance and integrity. “We are also publishing notice of this incident on our website and to major statewide media. In order to help further safeguard affected individuals from any potential misuse of their personal information, we are offering affected individuals access to a complimentary one-year membership to Experian’s® ProtectMyID® Alert,” he said. This product helps detect possible misuse of personal information and provides individuals with superior identity protection support focused on immediate identification and resolution of identity theft.
Matt Bruce of the Index-Journal reports that SRH has not disclosed the total number affected, but Self Regional executives said the total was at least 500. He also reports:
In the wake of the break-in, Self officials said they have taken several security measures, such as encrypting each of the system’s laptops with sensitive patient information as well as physical security upgrades to the building.