Erickson Living Data Breach (2012)

The five laptops stolen in November from Riderwoods physical therapy offices contained patient names and addresses, policy numbers, dates of birth and certain insurance information, according to Erickson Livings website. Erickson Livings Dan Dunne, director of communications, said the thefts were highly unusual in the Silver Spring retirement communitys 13-year history. It has been three months since the last theft occurred at the facility and five months since the laptops were stolen prompting the facilitys HIPAA Privacy Rule violation with the U.S. Department of Health and Human Services. HIPAA provides standards and federal protection for personal health information. A public notice of the HIPAA breach notification on Ericksons website said five laptops were stolen from Riderwoods physical therapy offices on the weekend of Nov. 17 through Nov. 18. The statement also says the incident was reported to local law enforcement authorities, and the laptops were password protected. An internal review reveals that not all of the files on the laptops were encrypted, including patient names, information about services provided, dates of birth and certain insurance information. Upon further review, the statement says, unencrypted information also included Erickson health plan member names, addresses and policy numbers. Dunne said Riderwood remains committed to its standard of privacy and has taken multiple actions to safeguard patient information. Those measures include updating systems to assure encryption of files and devices, revised security policies and procedures and additional training for employees on federal and state privacy and information security requirements. Riderwood has always taken the privacy of its residents and patients seriously by carefully managing their health information, Dunne said. While Dunne would not confirm whether residents locks have been changed following the string of thefts occurring in eight separate units where there was no sign of entry, he said they have increased campus surveillance, improved border fencing and security and established a plan for re-keying apartment locks and modification to onsite key management protocol. Due to the ongoing investigation, we are unable to discuss anyone who may be considered a suspect, Dunne said. Once apprehended, we intend to prosecute those involved to the fullest extent of the law. Dunne said he does not believe any of the stolen items have been recovered as of Tuesday morning. The HIPAA notice did mention that the motive of the crime appears to be the laptops themselves and not the information contained on them. Montgomery County Police would not comment on the incidents but said they are working with the Prince Georges County Police in their investigation. The community is located in both jurisdictions.