Premier Healthcare Data Breach (2016)

Instead of a malicious hack from overseas or a ransomware attack, Premier Healthcare, a multispecialty physician group in Bloomington, Indiana, has reported a stolen laptop. (It's like 2014 all over again!) It's put the personal data of more than 205,000 people at risk. However, in this case, the computer didn't go missing from an employee's car or get left in a public place. The laptop was stolen Jan. 4 from Premier Healthcare's billing department, "in [the department's] locked and alarmed administrative office," the organization said. The laptop was not encrypted. Seriously, people are still doing this? (Note: the preceding sentence was taken verbatim from a MedCity News story written in December. It can't be repeated often enough.) "Premier has begun the process of encrypting all of its computers," the practice said in a notice to patients. A little late, don't you think? The HIPAA security rule doesn't explicitly require encryption of computers and hard drives that store protected health information, but it strongly encourages it. "Basically what they're saying is that you don't 'have to' encrypt, but if you choose not to you'd better be prepared to demonstrate, in writing, why you believe that," Donald F. Lee III, vice president of healthcare IT services at consulting firm Algonquin Studios, explained in 2013. As for the data, Premier reported that the stolen laptop contained e-mails with various "screenshots, spreadsheets and pdf documents that were used to address billing issues with patients, insurance companies and other healthcare providers" The documents included mostly demographic information and some clinical records for 205,748 people. Of that group, 1,769 had their Social Security numbers and financial data at risk. "There is no evidence to believe that the information on the laptop was the target of the theft or that any of that information has been accessed or used for fraudulent purposes," Premier Healthcare said. Two months later, the laptop still has not been recovered and the thief hasn't been identified.