Health Help, Inc. Data Breach (2013)

An unencrypted portable computer drive containing the electronic protected health information (ePHI) of 535 individuals was stolen from a workforce member's unlocked personal vehicle parked at home. The ePHI involved in the breach included names and birthdates. Upon discovering the breach, the covered entity (CE) provided notice to HHS, affected individuals and the media. Following the breach, the CE reminded employees of its safeguards policy, provided additional training to workforce members who are authorized to take laptops and mobile devices home, and improved safeguards by instituting random audits to ensure that unencrypted ePHI is not stored on computers and mobile devices. The CE also updated the computer usage agreement for employees and sanctioned the workforce member for violating its policy. OCR obtained assurances that the CE implemented the corrective action listed above.