Unencrypted patient info from 2008 left in a van, and…… yeah.
From their disclosure notice:
Western Health Screening (“WHS”) is an organization that offers comprehensive blood screening tests. It partners with community organizations, such as hospitals, to provide onsite blood screenings at Health Fairs throughout the Western slope of Colorado. You have been a participant at Health Fairs in the past that were sponsored by either Montrose Memorial Hospital; Gunnison Valley Health; or Delta County Memorial Hospital (the “Hospitals”).
WHS recently learned that a vehicle owned by WHS in route to a Health Fair and passing through Salt Lake City, Utah, was stolen. There was a piece of computer equipment known as a “jump drive” belonging to WHS that was in the stolen vehicle. Upon learning of this theft, WHS immediately investigated and determined that the jump drive, which was password protected, but unencrypted, contained participants’ personal information. WHS learned of the theft on February 7, 2017, but determined that the jump drive was unencrypted on February 15, 2017. WHS is sending this letter to you as part of WHS’s, and the Hospitals’, commitment to privacy. We take privacy very seriously, and it is important to us that you are made fully aware of this incident.
When WHS learned of the theft, it immediately reported the theft to the Salt Lake City Police Department. The jump drive has not been recovered and the police continue to investigate. WHS also conducted its own internal investigation. WHS determined that the jump drive contained demographic information that had been collected by WHS for health fair participants from the years 2008-2012, including health fair participants’ names, addresses, phone numbers and in some instances Social Security numbers. WHS also determined that the jump drive can only be accessed via a unique password. The jump drive did not contain any medical information such as blood test results, nor did it contain any nancial information such as credit card numbers or other source of payment information. To date, WHS has no evidence that any participants’ information was accessed by unauthorized persons or that any participants’ personal information has been misused.
We are notifying you out of an abundance of caution so that you can take appropriate steps to protect yourself. To help relieve concerns and restore con dence following this incident, we have secured the services of Kroll to provide identity monitoring at no cost to you for one year.[…]
So why was a portable device with unencrypted patient information from 2008 – 2012 even in the van in 2017? If they needed old information as part of the current screening services, then how might they have accessed it more securely? At the very least, the data or drive should have been encrypted. Did Western Health Screening’s risk assessment include portable devices left in vans or taken out in the field for screenings? I would hope so.