Data of 43,000 patients breached after theft of unencrypted laptop

A laptop of a Coplin Health Systems employee was stolen from a car in November and serves as a reminder to healthcare organizations to encrypt all data that physically leave the building.

By Jessica Davis

January 12, 2018

11:50 AM

West Virginia-based Coplin Health Systems is notifying 43,000 patients of a potential data breach due to the theft of a laptop from an employee’s car.

Officials discovered the theft on Nov. 2. And while the organization equipped the laptop with security tools and was password-protected, it failed to encrypt data stored on the hard drive.

Data on the laptop included patient names, Social Security numbers, financial information, addresses, dates of birth and medical data.

[Also: Cyberattack knocks New York hospital offline for a week]

Upon discovering the theft, officials disabled the computer’s access to the organization’s network and have continuously monitored systems for unauthorized access. Law enforcement and the U.S. Department of Health and Human Services were notified of the theft.

Coplin officials are continuing to work with law enforcement about the incident.

“To date, no one has attempted to use the stolen laptop to access any of our IT networks. Nor have we received any information from law enforcement authorities or from any patients that would suggest that any person’s personal information has been accessed or used improperly,” wrote Coplin Health Systems CEO Derek Snyder.

The health system is reviewing internal policies to ensure adherence by employees. Further, it’s reviewing security measures to find vulnerabilities and will enforce disciplinary actions on employees who violate those standards, officials said.

The breach is a serious reminder that encryption should be mandatory for all data, as threats are not just the result of cybercriminals. And HHS has in the past cracked down on organizations that failed to implement these encryption policies.

In March 2016, North Memorial Health Care of Minnesota was hit with a $1.55 million settlement with HHS stemming from the 2011 theft of an unencrypted laptop from a business associate’s workforce member’s vehicle. North Memorial failed HIPAA on several accounts, including failure to have a compliant business associate agreement in place.

Puerto Rico-based MAPFRE Life Insurance settled with HHS in January 2017 for a September 2011 theft of an unencrypted USB drive containing the data of 2,209 patients from its IT department. Officials said MAPFRE didn’t have necessary safeguards in place.