UniHealth SOURCE Data Breach (2014)

In the process of researching this breach, I discovered a press release from UHS-Pruitt that seemed to contradict the media notice above. Then I realized the press release was from a UHS-Pruitt affiliate, UniHealth SOURCE, and it was reporting a second breach that also involved a laptop theft. The December 6th press release (pdf) reads, in part: UniHealth SOURCE, a provider of case management services in the Georgia Service Options Using Resources in a Community Environment (SOURCE) Medicaid waiver program, is committed to our clients privacy and compliance with all applicable federal and state regulations. The purpose of this notice is to identify a recent incident involving the theft of a computer laptop belonging to one of our employees. The laptop contained very limited information about current and former clients: specifically, the first and last name and, in some cases, potential diagnoses. The laptop did not contain any other identifying information, such as Social Security numbers or dates of birth, which could be used by an identity thief to financially exploit our clients. Although the laptop did contain the names of approximately 4,500 current and former clients of UniHealth SOURCE, UniHealth Select, and Blue Ridge Community Based Services, the level of financial risk to these individuals appears to be very low. On October 8, 2013, the employees laptop was stolen from her car at her home. The theft was reported to the police, and we continue to cooperate fully with the investigation. The computer laptop was used by the employee to access and maintain certain patient information for the purpose of quality assurance audits for health care services provided by the above-referenced offices. Upon discovery of the theft, all access through the employees stolen laptop to computer applications, such as electronic medical records, was cut off immediately. Nevertheless, we determined that the above-described patient information was stored locally on the computers hard drive. We have not received any indication that such information stored on the computer has been accessed.