Stolen Flash Drive Affects 70,000

Breach Stems from Family Planning Council Burglary
Stolen Flash Drive Affects 70,000
The Family Planning Council in Philadelphia and its network providers are informing about 70,000 clients of a health information breach stemming from a stolen unencrypted flash drive.

The organization, which provides funding for a network of local organizations offering reproductive health services to low-income clients, delayed the announcement at the request of law enforcement authorities, who investigated a burglary that occurred in late December, according to a statement on its website.

The stolen flash drive, which contained patient names, addresses, phone numbers, Social Security numbers, dates of birth, insurance information and certain medical information, has not been recovered. But the council reports there is no indication the information has been inappropriately used.

The Philadelphia Inquirer reports that a former employee of the council, who had a criminal record, was arrested Feb. 9 and charged with burglary, theft, criminal trespass and receiving stolen property in connection with the case.

The council is offering affected clients free credit protection services.

Information on the flash drive included data the council gathered from several area healthcare organizations, for which it gathers and processes information for reporting and billing purposes under government healthcare programs. Those organizations are notifying the clients affected. The data on the stolen flash drive included information from patients who received reproductive health services between Oct. 2, 2008, and Nov. 30, 2010.

The council has implemented additional security precautions in the wake of the incident, according to its statement, "including not allowing unencrypted personal information to be stored on removable hardware, such as flash drives, retraining staff and working with the building to enhance facility security."

The HITECH Act breach notification rule requires healthcare organizations to notify those affected by breaches. Incidents affecting 500 or more individuals must be reported to the HHS Office for Civil Rights within 60 days. As of Monday morning, the incident was not on OCR's list of major health information breaches; the agency posts new incidents once it investigates the details.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network