A personal information security breach was recently discovered at Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) after an employee lost his briefcase that contained a laptop that was password-protected but not encrypted.
The security breach involved records relating to the Health Insurance Portability and Accountability Act (HIPAA) designed to protect personal information and data collected and stored in medical records. HIPAA established a national standard to be used in all doctors’ offices, hospitals and other businesses where personal medical information is stored and is designed to protect personal information and data collected and stored in medical records.
The employee lost the laptop May 24 while taking public transit.
Notification to 1,500 clients of a privacy breach occurred July 22. According to spokeswoman Alicia Taylor, forensic review conducted by DBHIDS and the city’s Information Security Group indicated that cloud-based systems had not been compromised; however the analysis could not rule out the possibility that client records on the laptop hard drive may have been accessed, hence the City’s need to notify clients.
The majority of DHIBDS computers were encrypted, and the department is still in the process of determining why one set was not, Taylor informed PW in an email.
“We take our obligation to protect the privacy of the people that we serve very seriously,” said David T. Jones, Commissioner of the Department of Behavioral Health and Intellectual disAbility Services, in a statement. “Once we learned about the lost laptop within our Intellectual disAbility division, we immediately implemented actions to inform anyone who may have been impacted, provided additional training to our workforce and implemented additional controls to prevent this type of incident from occurring in the future.
“We deeply regret and apologize for any concern or inconvenience this situation may cause to the people and families that we serve,” he said.
The files contained personal information such as name, date of birth, MCI number (a unique client identifier for PA-DHS social services benefits), service provider name and information about Medicaid waiver services the client applied for or was receiving. The data did not contain social security or any credit or bank account numbers.
DHIBDS is providing one year of credit monitoring and identity protection services to affected clients and ensuring that all employee laptops are encrypted, Taylor said in a statement. On a larger scale, the city is now reviewing all security controls in HIPAA-covered departments to make sure encryption and other protection measures are being employed, Taylor told PW in an email.
She would not comment on whether the employee had been fired or disciplined.
As a result of this incident, all IDS staff were re-assigned the City’s HIPAA Basics Training Course to remind them of their obligations under the HIPAA Privacy & Security Rules. They will also be assigned security training specifically focused on topics such as securing laptops and other devices when working remotely, choosing strong passwords, encryption, email and phishing, browsing safely and reporting suspected security threats.
“DBHIDS is thoroughly investigating causes of this incident and taking appropriate corrective actions, including re-training the employees involved, providing additional privacy/security training to the DBHIDS workforce, and continuing to review practices and implement additional controls to prevent this type of incident from occurring in the future,” Taylor wrote to PW. “Immediately after the incident occurred, the DBHIDS IT team ensured all other laptops currently in use were encrypted.”