Laptop with patients' info stolen from home

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.yumasun.com/news/drive-86835-patients-laptop.html

A burglar swiped a laptop and hard drive containing sensitive medical
and personal data for hundreds of mental health patients from Yuma and
across the state.

Alicia Z. Aguirre is the general counsel for Yuma's Arizona Counseling
and Treatment Services, a contracted provider with Cenpatico
Behavioral Health of Arizona. It was one of her employees who was the
victim of the burglary last month.

“Sometime between March the 18th and the 25th, someone broke into an
employee's home and stole a work laptop and external hard drive,”
among other belongings, she said.

The employee immediately filed a police report upon realizing there
had been a break-in and continued to look for the laptop and drive,
hoping they'd just been misplaced. But they didn't turn up.

The laptop was loaded with recovery tracking software. But the drive was not.

Saved to that drive were names, dates of birth and treatment plans —
but no Social Security numbers or financial information— of more than
500 patients served by ACTS and Cenpatico between 2011 and 2013. This
is information protected by the Health Insurance Portability and
Accountability Act, or HIPAA.

Aguirre said whoever stole the computer and drive probably wasn't
aware of what they really snagged, and she has no reason to believe
the equipment was stolen for its data content. She's had employees
checking pawn shops for the items, but with no luck.

Although she is notifying those patients and her firm will be offering
help with credit monitoring, the law requires Aguirre to make a wider
public notice because of the size of the breach.

Not all of the patients necessarily live in the Yuma area. ACTS also
provides services in La Paz, Pinal, Greenlee, Graham and Cochise
counties.

Aguirre said the computer equipment was out of the office because the
employee does some work from home. The employee is not at fault, she
said.

Potentially affected people will be getting a letter about the breach
if they haven't already. They can also call the ACTS Corporate
Compliance Office 1-800-218-6409 or write to info () actsaz com for more
information. The phone number and e-mail address should be up and
running by Friday.

Read more: http://www.yumasun.com/articles/drive-86835-patients-laptop.html#ixzz2QjWysGcZ
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.