Arizona Counseling and Treatment Services (ACTS) Data Breach (2013)

More than 500 behavioral and mental health patients have had their data compromised as a result of a thief taking an Arizona Counseling and Treatment Services (ACTS) employee’s laptop and hard drive with their data on it. While there were names, dates of birth and treatment plans, no Social Security numbers or financial information of the patients served by ACTS and Cenpatico between 2011 and 2013 were stolen. Cenpatico Behavioral Health of Arizona is a covered entity under HIPAA and ACTS is a business associate that also provides services in La Paz, Pinal, Greenlee, Graham and Cochise counties. “Sometime between March the 18th and the 25th, someone broke into an employee’s home and stole a work laptop and external hard drive,” among other belongings, Alicia Aguirre, the general counsel for ACTS, told the Yuma Sun. Though the laptop had recovery software (the drive didn’t), it appears as though neither were encrypted. The employee works from home and had permission to have the laptop there, but it seems as though there was oversight in allowing an unencrypted laptop with protected health information (PHI) into an employee’s home, regardless of permission to do so. And the fact that the data was extremely sensitive, as behavioral and mental health patients were affected, further complicates the breach.