Encrypted Laptop Stolen While in UseThief takes device from hospice patient's home
Because the records system was on when the laptop was stolen, the encryption was not activated and the thief could have accessed some patient information, a spokesman for Rainbow Hospice and Palliative Care in Park Ridge acknowledges. As a result, the hospice alerted the 999 patients whose information was on the device about the incident.
Under the HITECH Act's Breach Notification Rule's safe harbor, breach incidents involving encrypted data do not have to be reported. But in this case, the theft had to be reported to patients and federal authorities because the stolen device had a records system open, a hospice spokesman says.
In its letter to patients, the hospice offered one year's worth of identity protection through Debix Inc. "to help ease concerns and safeguard our patients from possible misuse of their personal information," according to a statement.
The hospice and Chicago police, however, have not received any reports of information on the device being used for fraudulent purposes. Once the computer was turned off, the thief would have had to navigate through multiple password protections as well as the encryption system to view data, the hospice spokesman notes.
Data on the laptop included patients' names, addresses, dates of birth, Social Security numbers, insurance information and certain healthcare information.
In addition to encrypting all its laptops using the standard specified in the HITECH Act, the hospice is now increasing password complexity, the spokesman says. It's also installing the LoJack for Laptops theft recovery service from Absolute Software Corp., which can help locate stolen devices.