A dermatologist had his laptop stolen from his car. The computer contained 8,000 patient records, but all were encrypted. The doctor sought legal advice, reached out to all patients notifying them of the potential breach of PHI, and hired a service to help protect his patients. Can his patients sue him?
Dr. Laptop went to dinner about a year ago and left one of his medical office laptops in the car. When he returned from dinner, he noted the car had been broken into and the laptop was gone. All of his 8,000 patient records were on the laptop, but thankfully all materials were encrypted; there was no evidence of any protected health information (PIH) being stolen.
Nevertheless, Dr. Laptop, concerned about any potential Health Insurance Portability and Accountability Act (HIPAA) issues, contacted a healthcare lawyer. His attorney advised him to notify all patients of the theft, provide a free service for one year to all patients that would notify them of any potential identity thefts and an 800-number to call with any questions or concerns. Dr. Laptop did so. However, six months ago, a patient filed a lawsuit against Dr. Laptop for HIPAA violations, contending that all of her personal information and Social Security number had been seen on the Web, and she accused Dr. Laptop of being the reason for this mishap.
Dr. Laptop returned to his attorney and sought legal help. Is Dr. Laptop liable?
A similar situation occurred to the Easter Seals Society of California.
The Easter Seals Society of Superior California sent out notification letters upon discovering that a laptop containing patient information had been stolen from an employee’s car Dec. 10th, 2013. Easter Seals immediately launched an internal investigation on the subject. They also hired a specialized data security lawyer, as well as external forensic experts to help assist in determining the magnitude of the breach.
Although the stolen computer was powered off, password protected, and not connected to the Internet at the time of its theft, it was confirmed that there were emails containing health information of certain patients and potential patients that still could be accessed. The information in these emails included the children’s names, dates of birth, healthcare provider information, healthcare billing information, patient identification number, and occupational therapy notes.
There were no confirmed attempts at fraud pertaining to this health information, but the Easter Seal Society still made sure that their clients felt protected and secured. The company commented in their letter, saying, “Out of abundance of caution and in order to help you detect the possible misuse of your child’s information, Easter Seals has arranged to have AllClear ID protect your child’s identity for 12 months at no cost to you.”
Additionally, a phone number was provided to clients who could then work with an investigator to recover any financial loses, restore credit, and make sure that any identity affected was returned to its proper condition.
Easter Seals also enrolled its clients in an additional service that added more protection, credit monitoring, and a $1 million identity theft insurance policy. Furthermore, a confidential inquiry call line for clients was made available. President and CEO, Gary T. Kasai, concluded the notification letter stating, protection and security of client information remains Easter Seals’ highest priority.
The take-home messages here are clear. All dermatologists must be certain that all patient PHI is encrypted. If a breach may have occurred, it is best to take ownership of the problem right away to avoid further problems.
Dr. Laptop did the right thing. He sought legal advice, reached out to all patients notifying them of the potential breach of PHI, and hired a service to help protect his patients. None of this will stop his patients from filing a lawsuit against him.
However, the burden now shifts to the plaintiff patient. She must prove Dr. Laptop was the culpable source for her PHI now being seen on the Web. This may be a high hurdle for her.