I find it fascinating that two different companies can have such disparate reactions to a PHI data breach that occurred under similar conditions. Consider two entries at phiprivacy.net, where computers were stolen, triggering a HIPAA breach (obviously, the use of managed HIPAA encryption software like AlertBoot was neglected; otherwise, there wouldn’t be a HIPAA breach).
Self Regional Healthcare and Haley Chiropractic of Tacoma reported data breaches where laptops were stolen during a burglary of office premises. Haley Chiropractic announced that 6,000 patients were affected, three computers were stolen, and that it doesn’t “believe there is a high risk of misuse of the information.” How can Haley Chiropractic substantiate their conclusion? They can’t. They have absolutely no data.
Self Regional Healthcare, on the other hand, reported that one laptop was stolen, reportedly less than 500 people were affected, and that it “must assume there is a possibility that someone may have accessed certain patients’ protected health information,” despite the fact that the thieves were apprehended and “claimed never to have accessed the laptop.”
Low Risk = Encryption
You know how you know there is a low risk of data being accessed on a stolen computer? If you use encryption software to protect the data. Otherwise, making such a claim should be illegal because it only serves to confuse people. You could say it confuses the most vulnerable people, since skeptical people would ignore such a blatantly self-serving statement and do what it takes to ensure they’re protected.
While I’m not sure what Haley Chiropractic is doing to prevent future recurrences, it turns out that Self Regional Healthcare has deployed encryption on laptops since the incident.
It’s not surprising, when you consider how they’ve reacted to their data breach.
Related Articles and Sites: