BASSETT-The records from more than 500 patients at Bassett Family Practice were stolen in August, company officials say. On Friday, officials from the facility sent out letters to all of their patients, informing them what was included in the theft and what steps the medical practice is taking to prevent it from happening again.
The patient information included each person’s full name, date of birth, account number at the medical practice, identity of their insurance provider and potentially some details about the reasons behind recent visits to Bassett Family Practice, such as the type of sickness a patient was suffering from. All of that information was stored on a laptop, which was sitting in an employee’s car. Officials at the practice say they aren’t certain on a specific date, but say the laptop was stolen from the employee’s vehicle between the evening of Aug. 12 and the morning of Aug. 14. While a police report was filed immediately, officials with the facility waited until Oct. 13 to inform patients of the incident.
“The time was spent working with law enforcement, consulting our legal counsel, recovering the backup and researching the files,” said Bassett Family Practice Finance Director Alvin Franks, when asked why the facility had delayed in releasing the information. “The files to be researched were voluminous and we wanted to ensure we were not double counting anyone.”
In this case, Franks said Bassett employees had to first search for and find the backup to the stolen laptop, in order to see what information had been transferred on to it. In the letter sent out to patients, the facility states that “while there were details about office visits, such as [the] identity of the affected individual’s provider name and reason for visit, much of the information for the affected individuals was account balance information for the procurement of medical services contained in spreadsheets, which, by law, is still considered HIPAA protected information.”
Bassett Family Practice officials made it clear repeatedly, both in the letter and speaking with Bulletin staff, that there were no social security cards, debit or credit card information stored on the stolen laptop.
The information had to be released before Oct. 15, as theft of patient records is a violation of HIPPA, the Health Insurance Portability and Accountability Act. Signed into law in 1996, HIPPA gives specific instructions for safeguarding a patient’s medical records and other information. The Bulletin reached out to officials with the U.S. Department of Health and Human Services and they directed us to the department’s website, which gave a complete breakdown of the law. According to the department’s website, information about any type of breach has to be “provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.”
Since the breach took place at some point between Aug. 12-14, letters had to be sent out no later than Oct. 14, in order to fall within the 60 day window. A copy of one of the letters sent out by Bassett Family Practice, which the facility provided to the Bulletin, gives a date of Oct. 13 for when this was sent out. HHS officials said because there is some question about when the theft occurred, that letter met the time requirements. They also said Bassett employees didn’t break any laws by not immediately informing patients.
As for taking the laptop out of the facility, there is no portion of the HIPPA Security Rule that makes that decision illegal. The current HIPPA edition, which has been revised over the last two years, states that a facility “must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected information.”
When asked on Monday, HHS officials also could not point to anything stating that removal of a laptop containing patient information from a facility violated policies.
The equipment was on a laptop in the first place due to the fact the facility was making a transition to a new IT system. As part of that switch, which is now complete, all patient information is stored only on a company server and not on any laptops being used by employees. Franks also said the medical practice was removing files already on laptops to the server, as well as encrypting all laptops with Symantec Encryption Software.
As of Oct. 16, there was nothing to report from law enforcement in terms of a suspect or any leads on who may have stolen the machine. Based on the fact the laptop was unlabeled and had been stolen from inside the vehicle, Bassett officials said they didn’t think it was stolen with the intent to access protected health information.
To the knowledge of both local law enforcement and Bassett Family Practice employees, no one has accessed the patient information. They know this because if the patient information is accessed, the facility’s server will receive a notification. If that happens, Franks said employees can protect the information by remotely wiping the laptop clean.
“There is also a fail-safe, where the organization could delete the information on the laptop, should it ever be accessed through the operating system,” Franks said. “The laptop has not yet been recovered nor accessed at this time.”
Any patients of Bassett Family Practice with questions about the theft can call the facility at 1-888-746-7175.
Article by: Martinsville Bulletin – Brian Carlton