Burglary Leads to BreachDevice lacked encryption
The laptop contained the Social Security numbers of about 650 people, Shands reports. Other personal information stored on the laptop may include names, addresses, physician names, medical record numbers and abbreviated medical procedure or condition codes.
A Shands employee had downloaded the health information onto an unencrypted Shands-owned laptop at home for work-related purposes, the provider organization reported.
The employee reported the computer stolen on Jan. 27 when the employee's home was burglarized. Shands immediately notified the Gainesville Police Department and initiated an investigation into the theft. Shands also immediately launched an internal investigation.
Although Shands says it has no evidence that any of the confidential information stored on the computer has been used for fraudulent purposes, it is mailing notification letters to affected individuals this week. The letters contain "instructions about taking additional protective steps," the organization says. Shands also has posted a notice on its Web site.
The HITECH Act's breach notification rule requires providers to notify those affected by a breach within 60 days. The theft of properly encrypted information, however, does not need to be reported.
The organization says it has launched a "systemwide encryption initiative to better safeguard protected health information stored on Shands-owned computers, laptops and other portable communications devices as well as on employee-owned devices used to support Shands work."