Louisiana-based home health and hospice care company Amedisys is unable to locate 142 encrypted laptops and computers that were assigned to former team members, and is notifying nearly 7,000 individuals that their personal information could be at risk.
How many victims? 6,909.
What type of personal information? Clinician laptop devices included names, Social Security numbers, dates of birth, insurance ID numbers, and other medical information of patients being treated by clinicians assigned to them. Non-clinician devices included a variety of personal health and personally identifiable information.
What happened? Amedisys is unable to locate 142 encrypted laptops and computers – which contained the information – that were assigned to former team members.
What was the response? Amedisys engaged Booz Allen Hamilton to assess and enhance its security and inventory systems and practices. All potentially impacted individuals are being notified, and offered free credit monitoring and identity protection services.
Details: Amedisys began an extensive risk management process during the second half of 2014, and the process concluded on Feb. 23. The encrypted computers were originally assigned to Amedisys clinicians or other team members who used the devices in the process of delivering home healthcare and left the company between 2011 and 2014.
The 142 missing devices represent about 0.3 percent of the total number of devices being used during that time period. Amedisys requires team members to return computers upon departing from the company, but “on some occasions” the policy was not followed.
Amedisys devices are protected with 256-bit disk encryption, administrator restrictions, and several other security protections. Former employees no longer authorized to access patient information had access to the encryption key allowing local access to their formerly assigned device, although Amedisys disabled their network password.
Quote: “Amedisys has no indication of external hacking into its network, and no evidence that any patients or former patients have suffered any actual harm,” a press release states. “Amedisys is reporting these computers as required under applicable law and in an abundance of caution because it cannot rule out unauthorized access to patient data on the devices.”
Source: amedisys.com, “Data Security and Privacy,” March 2, 2015.