Back in March, PHIprivacy.net noted that a psychologist’s laptop containing PHI on 652 clients of Washington Department of Social and Health Services had been stolen from the psychologist’s car. As we reported at the time, the laptop was recovered from a pawn shop.
Today, there was an interesting follow-up from KING5, who report that Dr. Sunil Kakar’s license to practice as a psychologist has been suspended:
A Gig Harbor’s psychologist’s license has been suspended after a hooker stole his laptop, compromising medical records and sensitive information of his clients.
State Department of Health officials said Senil Kakar kept unprotected medical information on 652 DSHS clients on his personal laptop. Kakar’s laptop was stolen by a prostitue (sic), but he didn’t notify DSHS about the theft until five days later and misrepresented the number of people who could be affected.
Kakar can’t practice in Washington until the charges are resolved.
Having a professional license to practice suspended over a breach is not something we see every day.
These charges are not the first charges against Dr. Kakar, however. The state’s records show that in November 2012, he was charged with unprofessional conduct following several incidents, one of which involved an arrest for driving while impaired in 2011. An evaluation diagnosed him with cannabis and alcohol dependency, and he underwent treatment. That disciplinary action resulted in a consent agreement signed by Dr. Kakar in June 2013. The terms of the agreement involved him continuing with treatment, and being under supervision and monitoring for his practice as a psychologist. In the interim, one of his two contracts with DSHS had been put on “inactive” status because Dr. Kakar was allegedly not performing the contracted assessments and evaluations in a timely fashion, leading to clients having their benefits delayed.
On October 11, 2013, the state filed new charges against Dr. Kakar related to data security failures and unprofessional conduct. The new charges allege that Dr. Kakar had failed to encrypt client information as required by DSHS (and as PHIprivacy.net had reported back in March), that he had loaned his laptop computer to another as collateral on a debt, that his failure to secure his laptop properly resulted in his laptop being stolen and the information on 652 clients being put at risk, and that he failed to immediately and accurately report the theft both to DSHS and to the police. Not only did he not report the theft to the police in a timely fashion, but he allegedly changed his story, first telling DSHS that the laptop was stolen in one location, and then telling the police that it was stolen by a prostitute while he went to an ATM. The prostitute allegedly pawned the laptop, which is how it was recovered.
In total, Dr. Kakar’s behavior constituted a “pattern of non-protection of client medical info that would put all other current or prospective clients at risk,” and that required the state to immediately suspend his license.
Why it took the state from March until October to respond to the serious risk he allegedly posed to other clients is unclear, unless the state immediately suspended his contract in March. But even then, to the extent Dr. Kakar had any private clients, they would presumably have been at risk by his alleged failure to comply with security safeguards and to protect confidentiality of client information.
It is also unclear whether the supervisor, who was supposed to supervise Dr. Kakar “in all areas of the practice” ever inquired or supervised Dr. Kakar with respect to data security practices.
Hopefully local media in Washington will try to obtain more information on this case, although some of it may not be publicly available while the matter is under consideration.