Breach with a Twist: Data Encrypted but Still at Risk
Home health and hospice provider Amedisys is notifying more than 6,900 individuals of a breach of protected health information, even though the PHI is encrypted.
Home health and hospice provider Amedisys is notifying more than 6,900 individuals of a breach of protected health information, even though the PHI is encrypted.
In most cases under the HIPAA privacy and security rules, if protected health information is compromised but the data is encrypted to industry standards, then it is as if no breach occurred and affected individuals need not be notified. This incident is an exception, as Amedisys in an inventory of its desktop and laptop computers learned that about 142 were missing.
These were assigned to clinicians and staff who left the company between 2011 and 2014 and Amedisys did not retrieve the computers. So while the PHI was protected with 256-bit disk encryption, those with the computers still had the encryption key, although they no longer had company network access.
Also See: Understanding a Medical Record Breach vs. a Medical Data Breach
Amedisys has no indication of external hacking into its network and no evidence that any patients or former patients have suffered any actual harm, according to a company statement. Affected individuals are being offered credit monitoring and identity theft protection services. The company has contacted with Booz Allen Hamilton to assess and enhance its security and inventory practices.
Protected health information that may have been on the computerswhich account for 0.3 percent of Amedisys computing devicesinclude patient name, address Social Security number, birth date, insurance ID number, medical records, and other personally identifiable information. A company spokesperson did not respond to a request for additional information.
In most cases under the HIPAA privacy and security rules, if protected health information is compromised but the data is encrypted to industry standards, then it is as if no breach occurred and affected individuals need not be notified. This incident is an exception, as Amedisys in an inventory of its desktop and laptop computers learned that about 142 were missing.
These were assigned to clinicians and staff who left the company between 2011 and 2014 and Amedisys did not retrieve the computers. So while the PHI was protected with 256-bit disk encryption, those with the computers still had the encryption key, although they no longer had company network access.
Also See: Understanding a Medical Record Breach vs. a Medical Data Breach
Amedisys has no indication of external hacking into its network and no evidence that any patients or former patients have suffered any actual harm, according to a company statement. Affected individuals are being offered credit monitoring and identity theft protection services. The company has contacted with Booz Allen Hamilton to assess and enhance its security and inventory practices.
Protected health information that may have been on the computerswhich account for 0.3 percent of Amedisys computing devicesinclude patient name, address Social Security number, birth date, insurance ID number, medical records, and other personally identifiable information. A company spokesperson did not respond to a request for additional information.
More for you
Loading data for hdm_tax_topic #care-team-experience...