University of Oklahoma’s Urology Clinic notifying 9,300 of possible HIPAA breach after yet another laptop is stolen from a physician’s car

In July, the University of Oklahoma College of Medicine – Department of Obstetrics & Gynecology notified almost 7,700 patients after a laptop was stolen from physician’s car.

Now the University of Oklahoma’s Urology Clinic is notifying 9,300 patients about the theft of another laptop with protected health information.

From their statement:

The University of Oklahoma takes patient privacy seriously and, out of an abundance of caution, has mailed letters to notify certain patients of a potential privacy matter. On or about August 14, 2015, the University was made aware that a laptop that may have included limited patient health information had been stolen from a physician who formerly worked for the University of Oklahoma Department of Urology. The theft occurred during the overnight hours of July 16 – July 17. The physician immediately contacted the local police and reported the theft of the laptop. The physician may have had a data base spreadsheet stored on the laptop, which was password-protected but not encrypted. The spreadsheet may have contained limited information from pediatric urology procedures occurring between 1996 and 2009, such as patient name, diagnosis and treatment codes and dates (most between 1996-2006), date of birth or age, a brief description of a urologic medical treatment or procedure, medical record number, and the treating physician’s name. Social Security numbers were not included. Addresses were not included. No credit or account information was included.

Possible theft of PHI from an unattended vehicle is bad enough, and the fact that this is the second laptop theft from a vehicle in relatively short order is certainly concerning, but here’s the part that may really raise an eyebrow or two at OCR:

The University determined on or about September 18 that the former physician and his current employer had not yet notified the University patients whose information may have been on the laptop, so the University is doing so.

Why would the University harbor any thought that the current employer would notify UO’s patients, when it was UO’s responsibility to protect their patients’ information?

And if that’s not serious enough, consider the fact that they didn’t know the physician had retained patient information:

The Department was not aware that the physician had taken any of its patient information with him when he left the University. The University has policies that generally prohibit the removal of documents that contain patient information from its premises and that require employees to protect patient information on laptops at all times, including by storing it securely.

The physician is not certain that patient information was on the laptop, but the University wanted to notify patients of this incident and assure them that this matter is being taken seriously. In addition, the University is offering to provide a one-year subscription to credit monitoring and reporting services at no cost to the patients whose information may have been on the spreadsheets, to address any concerns they may have.

The Department is taking additional steps to help prevent similar incidents from occurring and is providing additional training to employees on the importance of securing patient information. Individuals who believe they may be affected but who have not received a letter from the University may contact the Office of Compliance at 405-271-2511 or toll-free at 1-866-836-3150.

I’d love to know what those additional steps are to prevent a recurrence.

About the author: Dissent