A laptop was stolen from home, exposing hundreds of patients’ medical records in Arizona

17 April 2013

By Hillary Davis

A burglar swiped a laptop and hard drive containing sensitive medical and personal data for hundreds of mental health patients from Yuma and across the state.

Alicia Z. Aguirre is the general counsel for Yuma’s Arizona Counseling and Treatment Services, a contracted provider with Cenpatico Behavioral Health of Arizona. It was one of her employees who was the victim of the burglary last month.

“Sometime between March the 18th and the 25th, someone broke into an employee’s home and stole a work laptop and external hard drive,” among other belongings, she said.

The employee immediately filed a police report upon realizing there had been a break-in and continued to look for the laptop and drive, hoping they’d just been misplaced. But they didn’t turn up.

The laptop was loaded with recovery tracking software. But the drive was not.

Saved to that drive were names, dates of birth and treatment plans — but no Social Security numbers or financial information— of more than 500 patients served by ACTS and Cenpatico between 2011 and 2013. This is information protected by the Health Insurance Portability and Accountability Act, or HIPAA.

Aguirre said whoever stole the computer and drive probably wasn’t aware of what they really snagged, and she has no reason to believe the equipment was stolen for its data content. She’s had employees checking pawn shops for the items, but with no luck.

Although she is notifying those patients and her firm will be offering help with credit monitoring, the law requires Aguirre to make a wider public notice because of the size of the breach.

Not all of the patients necessarily live in the Yuma area. ACTS also provides services in La Paz, Pinal, Greenlee, Graham and Cochise counties.

Aguirre said the computer equipment was out of the office because the employee does some work from home. The employee is not at fault, she said.

Potentially affected people will be getting a letter about the breach if they haven’t already. They can also call the ACTS Corporate Compliance Office 1-800-218-6409 or write to [email protected] for more information. The phone number and e-mail address should be up and running by Friday.

Read more: http://www.yumasun.com/articles/drive-86835-patients-laptop.html#ixzz2RK5OXt5v