This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). A recent posting in this blog series reported that, on February 24, 2012, HHS recorded number 400 in the ever-lengthening parade of List Breaches.
Such posting also noted that more than half (223) of the 400 List Breaches attributed the breach to “Theft.” Of the 223 thefts reported, 93 of them were characterized as theft of a laptop. Therefore, it is not surprising that the 400th List Breach affecting Triumph, LLC (“Triumph”) was reported to be a theft on December 13, 2011 of a laptop affecting 2,000 individuals (the “Triumph Breach”) respecting several of its North Carolina behavioral and psychiatric facilities.
While the facts of the Triumph Breach were not remarkable in themselves, the event is worthy of review as being a typical List Breach involving a theft of a laptop that contained PHI of several thousand individuals. A closer look at the Triumph Breach reveals that it was an event as to which Triumph appears to have been a victim with little ability to avoid the loss.
To its credit, Triumph has placed a HIPAA Breach Notification (the “Notification”) on its Web site with a prominent notice on its Home page in red with a link to the Notification and the following advice: “Please click here to read the public notice which may affect consumers receiving services from our Winston-Salem, Mocksville and King facilities.” As this blog series has pointed out in previous postings, many covered entities do not detail List Breaches on their Web sites.
The Notification states that the Triumph Breach occurred on December 13, 2011 when three men entered the 2nd floor lobby. While two of them were distracting the receptionist, the third entered a hallway and stole a laptop computer from an office. Because the Notification says that the laptop was password protected, one can reasonably conclude that there was no encryption. The information on the computer was reported in the Notification to have included names, dates of birth, medical record numbers, insurance/Medicaid numbers, billing codes and authorization status for services, but not social security numbers, diagnostic codes or specific financial information.
Although the HHS List states that 2,000 individuals were affected by the Triumph Breach, no reference to the number of affected individuals was contained in the Notification. Additionally, while the Notification included contact information for questions about the Triumph Breach, no reference was made in the Notification as to the offering by Triumph of credit monitoring or other security services to affected individuals as has been done for many other List Breaches. Perhaps the explanation for the latter omission is the following statement by Triumph in the Notification:
We believe the motive for the theft was for the computer not for the information stored on the computer. In light of this theft, we are examining our policies, procedures and protocols to safeguard against any future incidents.
Nonetheless, it is unclear whether the PHI stored on the computer will be inappropriately accessed and used. Triumph was clearly an unfortunate victim of a theft of PHI as many other providers have been. Nonetheless, the Triumph Breach is a reminder that it does not matter how a List Breach is caused. It will be costly for the covered entity in every case on many levels, and the ultimate extent of the adverse impact cannot be known with certainty.