Stolen Flash Drive Affects 70,000Breach Stems from Family Planning Council Burglary
The organization, which provides funding for a network of local organizations offering reproductive health services to low-income clients, delayed the announcement at the request of law enforcement authorities, who investigated a burglary that occurred in late December, according to a statement on its website.
The stolen flash drive, which contained patient names, addresses, phone numbers, Social Security numbers, dates of birth, insurance information and certain medical information, has not been recovered. But the council reports there is no indication the information has been inappropriately used.
The Philadelphia Inquirer reports that a former employee of the council, who had a criminal record, was arrested Feb. 9 and charged with burglary, theft, criminal trespass and receiving stolen property in connection with the case.
The council is offering affected clients free credit protection services.
Information on the flash drive included data the council gathered from several area healthcare organizations, for which it gathers and processes information for reporting and billing purposes under government healthcare programs. Those organizations are notifying the clients affected. The data on the stolen flash drive included information from patients who received reproductive health services between Oct. 2, 2008, and Nov. 30, 2010.
The council has implemented additional security precautions in the wake of the incident, according to its statement, "including not allowing unencrypted personal information to be stored on removable hardware, such as flash drives, retraining staff and working with the building to enhance facility security."
The HITECH Act breach notification rule requires healthcare organizations to notify those affected by breaches. Incidents affecting 500 or more individuals must be reported to the HHS Office for Civil Rights within 60 days. As of Monday morning, the incident was not on OCR's list of major health information breaches; the agency posts new incidents once it investigates the details.