Happy Ending in Laptop Breach CasePremier Healthcare Says Missing Device Was Returned
See Also: HIPAA Audits: A Revised Game Plan
Some security experts, however, say that while the organization did the right thing in reporting the incident as a breach, it still might have violated the HIPAA Security Rule because the laptop was not encrypted.
In a March 14 statement, Premier, a physician group practice based in Bloomington, Ind., says the laptop that was discovered stolen from a locked office in its billing department on Dec. 31, 2015, was returned to the organization by U.S. mail on or before March 7.
Premier first publicly reported the laptop missing in a statement on March 3, which was then updated on March 8 with a total for the number of individuals - 205,748 - affected by the apparent breach. In that statement, Premier acknowledged that the stolen laptop was password-protected but was not encrypted.
No Evidence Data Accessed
Pondurance, an information security consulting firm that specializes in digital forensics and incident response, conducted a comprehensive forensic analysis of the device and determined the laptop had not been powered on since it went missing on Dec. 31, 2015, Premier notes in its latest statement. "Based on the forensic analysis and other circumstances of this case, there is no evidence that information on the computer was ever accessed causing a breach by any unauthorized third party," Premier says.
The latest developments in the incident have been reported to police, and an investigation is continuing, according to the physician group practice. Although Premier says the case is being investigated by the Bloomington Police Department, a police official tells Information Security Media Group that the case is actually being handled by the Monroe County Sheriff's Department, which did not immediately respond to a request for comment on the matter.
Premier also did not immediately respond to a request for additional information about the recovery of the laptop.
HIPAA Compliance Issues
Although the missing laptop was eventually returned, security and privacy experts say that the group practice was correct in issuing a breach notification and that the case still potentially puts Premier under scrutiny by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA and investigates health data breaches.
"It's luck that the laptop was returned, and that individuals don't have to worry about their data because the laptop doesn't appear accessed or even turned on," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
But because the laptop was only password protected and not encrypted, "the incident shows that [Premier] potentially has underlying security issues," he says. "Premier complied with the HIPAA Breach Notification Rule, but it's uncertain whether it complied with the HIPAA Security Rule," which states that encryption is an addressable requirement, he notes. Under the security rule, organizations need to encrypt laptops and other computing and storage devices that are prone to theft or loss unless they document why an alternative security measure is reasonable and appropriate.
"While encryption is still an 'addressable' requirement, Premier has shown that it had yet to implement an alternative security measure to accomplish the same objective as encrypting the device," says Dan Berger, CEO of security consulting firm Redspin.
Premier said in its March 8 statement, however, that it has taken a number of steps to help prevent similar incidents, including beginning the process of encrypting all of its computers and reviewing its processes and protocols.
It remains to be seen whether regulators will launch a HIPAA compliance investigation based on the incident. "OCR has a long list of other major breaches to investigate, so it's a matter of resource allocation on whether they decide to investigate," Nahra says.
Privacy and security expert Kate Borten, founder of consulting firm The Marblehead Group, says based on the unusual recovery of the laptop and the forensics investigation concluding the laptop wasn't powered on while it was missing, the incident now isn't likely a reportable breach under HIPAA.
"If the forensics were sound, it appears that this was not a breach," she says. "When making a breach determination, one factor organizations must consider is whether the PHI was 'actually acquired or viewed' by an unauthorized party."
In any case, it's fortunate for Premier that the laptop was recovered, she notes. "Some lost devices are just misplaced and then found. But when a device is stolen, it's unlikely to be recovered."
Premier was correct in issuing its breach notification, despite the unusual circumstances of the laptop's eventual return, Borten says. "I do not believe Premier Healthcare jumped the gun" in its breach notification, she says. "In fact, many organizations delay notification until the 60 days [requirement for notification under HIPAA] has run out, or even longer. But the point of prompt notification - and some state regulations require even quicker notification - is to alert individuals of the potential danger," she says. "Premier Healthcare was lucky that this turned out not to be a breach, but this is appears to have been an exception."
The most important message in the Premier case, Berger says, is this: "Encryption of portable computing devices that contain PHI is your safest protection against breach."
Emails stored on the hard drive of the laptop contained some screenshots, spreadsheets and PDF documents that were used to address billing issues with patients, insurance companies, and other healthcare providers, Premier said. Those documents contained various combinations of patient demographic information, such as name, address, date of birth, medical record number, insurance information, and/or some clinical information. For 1,769 of the individuals affected, Social Security numbers and/or financial information were also potentially accessible on the laptop, Premier said.
OCR did not immediately respond to an ISMG request for comment on the case.