Theft of Devices Containing PHI of Truman Medical Centers and La Clínica de La Raza Patients

Truman Medical Centers in Kansas City, MO, the city’s biggest inpatient and outpatient services provider, found out that an unencrypted laptop computer containing the protected health information (PHI) of 114,466 patients was stolen from an employee’s vehicle.

The laptop was password-protected, however, the password can be deciphered and the information on the device can be accessed. When issuing the notices, Truman Medical Centers has found no evidence that an unauthorized person has accessed or misused any patient data.

The laptop contained different types of information of each patient, but may have included the names of patients as well as at least one of the following data: birth dates, patient account numbers, Social Security numbers, medical record numbers, health insurance details, and some medical and treatment data, including dates of service, diagnoses, and names of provider.

The theft happened on July 18, 2019, however, the confirmation that the device contained patient data was only on October 29, 2019. Truman Medical Centers already notified by mail all the people whose PHI was kept on the laptop. Those whose Social Security number were potentially compromised got offered free credit monitoring and identity protection services.

Employees received additional training on portable device security. Employee laptops were also installed with additional controls to strengthen security.

Theft of Blackberry Containing the PHI of 2,477 La Clínica de La Raza, Inc. Patients

La Clínica de La Raza, Inc. provides primary health care and other services in Contra Costa, Alameda, and Solano counties in California. It recently discovered the theft of a portable electronic device on August 20, 2019.

The stolen briefcase from an employee’s vehicle contained a Blackberry device issued by La Clínica de La Raza. With the help of a computer forensics company, La Clínica de La Raza confirmed on October 16, 2019 that the device contained the PHI of 2,477 patients.

The data was contained in two email messages that were downloaded to the Blackberry device. The information in the emails included names, dates of birth, non-sensitive test data and medical record numbers.

Although it is possible that unauthorized people could access the information, La Clínica de La Raza stated that it would have been difficult to access the PHI. La Clínica de La Raza notified the affected patients about the breach via mail on December 13, 2019 and offerred them free one-year membership to credit monitoring and identity protection services.

The company is also taking steps now to strengthen the protection of portable electronic devices and gave the employees additional training on portable device security.