Two laptops with PHI stolen from UHS-Pruitt employees' cars in a two-week period

One of the breaches added to HHS’s public breach list today gave me a bit of a headache. Well, to be honest, they generally all give me a headache, but this one took me time to sort out. And although I may have a headache now, I suspect UHS-Pruitt may have a bigger headache. 

It seems that UHS-Pruitt Corporation in Georgia reported that 1,300 patients had PHI on a laptop that was stolen on September 26, 2013.

I could find no media coverage of the breach or notice on their site, but I was able to locate a cached copy of Georgia Public Notice that showed the following notice ran on November 15 in the Albany Herald, Dougherty County:

UHS-PRUITT CORPORATION NOTIFIES RESIDENTS OF BREACH OF UNSECURED PERSONAL INFORMATION

UHS-Pruitt Corporation (“UHS-Pruitt”) has provided notice to current and former residents of Heritage Healthcare of Ashburn, UniHealth Post-Acute Care Augusta Hills, Heritage Healthcare of Fitzgerald, Heritage Healthcare at Osceola, Palmyra Nursing Home and Sylvester Healthcare of a breach of unsecured resident medical and financial information after discovering the following event:

On September 26, 2013, a computer laptop belonging to an employee of UHS-Pruitt was stolen from the employee`s locked car. The theft was immediately reported to the police, and UHS-Pruitt continues to cooperate fully with the investigation. The computer laptop was used by the employee to access and maintain certain patient information for purposes of processing payment for health care services provided by the above-referenced nursing facilities.

Upon discovery of the theft, all access through the employee`s stolen laptop to computer applications on our shared system, such as electronic medical records, was cut off within a matter of hours. Nevertheless, UHS-Pruitt determined that documents containing lists of patient names and other identifying information, such as social security numbers, Medicare numbers, dates of birth, and resident ID numbers were also stored locally on the computer`s hard drive.UHS-Pruitt has not received any indication that such information stored on the computer has been accessed or used by an unauthorized individual at this time.

UHS-Pruitt is notifying impacted residents to mitigate any potential damages of the breach. UHS-Pruitt Corporation has safeguards in place to protect the privacy and security of resident health information. As a result of this breach, steps are underway to further improve the security of its operations including enhancing privacy and security policies and procedures, security training and improved technical protection of the data. In the notice to residents, UHS-Pruitt has informed the individuals of the steps they should take to protect themselves from potential harm resulting from the breach including placing a fraud alert on their credit report with the three major credit bureaus and examining their credit report for evidence of potential fraud. UHS-Pruitt`s Privacy Officer is available for residents to call with questions related to the data breach. Affected individuals may call (678)533-6437 or 1-800-222-0321 from 9:00 a.m. until 5:00 p.m., or call 1-800-222-0321 at any time to request a returned call from the Privacy Officer.

But wait (as the commercials say), there’s more….

In the process of researching this breach, I discovered a press release from UHS-Pruitt that seemed to contradict the media notice above. Then I realized the press release was from a UHS-Pruitt affiliate, UniHealth SOURCE, and it was reporting a second breach that also involved a laptop theft.

The December 6th  press release (pdf) reads, in part:

UniHealth SOURCE, a provider of case management services in the Georgia Service Options Using Resources in a Community Environment (SOURCE) Medicaid waiver program, is committed to our clients’ privacy and compliance with all applicable federal and state regulations. The purpose of this notice is to identify a recent incident involving the theft of a computer laptop belonging to one of our employees. The laptop contained very limited information about current and former clients: specifically, the first and last name and, in some cases, potential diagnoses. The laptop did not contain any other identifying information, such as Social Security numbers or dates of birth, which could be used by an identity thief to financially exploit our clients. Although the laptop did contain the names of approximately 4,500 current and former clients of UniHealth SOURCE, UniHealth Select, and Blue Ridge Community Based Services, the level of financial risk to these individuals appears to be very low.

On October 8, 2013, the employee’s laptop was stolen from her car at her home. The theft was reported to the police, and we continue to cooperate fully with the investigation. The computer laptop was used by the employee to access and maintain certain patient information for the purpose of quality assurance audits for health care services provided by the above-referenced offices. Upon discovery of the theft, all access through the employee’s stolen laptop to computer applications, such as electronic medical records, was cut off immediately. Nevertheless, we determined that the above-described patient information was stored locally on the computer’s hard drive. We have not received any indication that such information stored on the computer has been accessed.

I’ve sent an inquiry to UHS-Pruitt asking whether the employee(s) were violating any policies by having unencrypted PHI on their laptops and by leaving their laptops in their cars. I also inquired whether any employees were disciplined over these breaches, and will update this post if I get a response.

About the author: Dissent