An example HIPAA Breach

Stolen laptop held data of high-risk pool members

An example HIPAA Breach

Image courtesy of [Toa55] / FreeDigitalPhotos.net 

A laptop stolen from an auditor’s car contained the personal information of more than 3,400 members of a high-risk insurance pool set up in South Carolina for those unable to find coverage because of a medical condition, an attorney hired by the pool told The Associated Press on Monday.

The password-protected laptop, stolen Oct. 16, contained names and Social Security numbers of 3,432 people who were part of the high-risk pool in 2011 and 2012, said Cynthia Hutto of Nelson Mullins Riley & Scarborough. The Legislature created the South Carolina Health Insurance Pool in 1989.

The laptop was stolen from a car outside the home of a DeLoach & Williamson auditor. The Richland County Sheriff’s Department was called Oct. 17, and the pool was notified Oct. 21. The computer was never recovered and officials are unaware of any fraud resulting from the theft.

“There’s absolutely no indication that anything’s been accessed or used,” said Kevin Dolan, of Nelson Levine de luca & Hamilton in Pennsylvania, speaking for the auditing firm.

Letters notifying affected members did not go out until Dec. 18.

Hutto said that’s because it took time to determine what information was stolen, hire a company to notify members and set up a call center and credit monitoring for them. DeLoach & Williamson is covering those costs, both Hutto and Dolan said. Neither knew the tally.

“First, we had to determine what type of information was included,” Hutto said, adding that “getting the pieces in place” also included getting members’ addresses.

Of the 3,432 affected members, 91 have addresses outside the state – 25 of them in North Carolina. They have until March 31 to sign up for a year of credit monitoring services through the credit bureau Experian, funded by the firm. The call center went live Dec. 19.

The pool, which operates as a nonprofit, is made up of all health insurers in the state and is funded by them. Under state law, it is supposed to be overseen by an eight-member board: five appointed by participating insurers and three by the governor. But the governor’s three appointment seats – which are supposed to represent consumers and non-insurance businesses – are vacant, according to a list of board members from Hutto.

About 1,500 people are currently insured through the pool, according to Blue Cross Blue Shield of South Carolina, which the board pays to administer the program. The board also hired the auditing firm.

Read More