DBHDD investigates data breach involving stolen laptop

October 9, 2014

Concerned individuals urged to call 844-888-5998

ATLANTA—A laptop owned by the Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) was stolen from an employee’s vehicle on Aug. 14, 2014 while the employee was attending a conference in Clayton County, Georgia. The device contained protected health information (PHI) of individuals receiving services funded through the agency. DBHDD’s IT department is working hand-in-hand with law enforcement to investigate the theft. At this point, there is no evidence that any confidential information has been accessed. The department has followed reporting procedures required by the U.S. Department of Health and Human Services.

The health information contained on the laptop relates primarily to individuals served by DBHDD’s region six office located in west central Georgia. The department sent a letter to each person who may be affected by the theft. The letter explains the incident and actions individuals can take to help protect their PHI. Included with the letter is information on obtaining free credit reports and fraud alerts. The department provided a toll-free number (844-888-5998) that individuals may call to find out if their information is on the laptop.

DBHDD hospitals and regional offices are staffed by a HIPAA coordinator. These coordinators work with DBHDD staff to increase awareness of confidentiality rules and requirements, assist with questions about confidentiality, and help DBHDD follow all state and federal confidentiality requirements. “Protecting the individuals we serve is extremely important to us. We take very seriously the confidentiality of their information,” said DBHDD Chief of Staff Judy Fitzgerald. “We are constantly looking for ways to improve the system across all aspects of DBHDD’s operations.”

The security of electronic devices is a priority for the department. In 2013, DBHDD worked with an audit team from Ernst & Young to assess the department’s HIPAA privacy and security compliance. The results of that audit were already being implemented at the time this theft occurred. The new measures include stronger policies and procedures regarding PHI, data encryption and requiring virtual private network (VPN) access for viewing protected information.

“DBHDD is reinforcing our information security practices to protect against future data breaches,” said Doug Engle, the department’s director of information technology. “While it’s impossible to ensure that a laptop will never be stolen, we are taking proactive steps to protect client information by reducing the risk of that information getting into the wrong hands.”

Anyone whose personal information is believed to be on the missing laptop should have received a letter from the department. Individuals concerned that their personal information may be on the stolen laptop should call 844-888-5998, provided toll-free by DBHDD.

Frequently Asked Questions

How was the laptop stolen?
An employee of the Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) was staying at a hotel in Clayton County, Georgia on official business. The thief smashed a car window and removed the laptop.

What information was on the stolen laptop?
The laptop contained protected health information (PHI) of individuals receiving DBHDD-funded services. In this case, the PHI included name, address and phone number, date of birth, name of guardian (if any), marital status, social security number, Medicaid number, diagnosis, behavioral data and other information.

How many individuals may be affected by the theft?
The laptop contained PHI of 3,397 individuals.

Has this incident resulted in any identity theft? Are bank and credit card accounts at risk due to the theft?
The investigation has not shown that anyone’s personal information has been accessed or used. No known identity thefts have been linked to this incident. However, anyone who wants to know whether his or her information is on the laptop should call DBHDD at the toll-free number 844-888-5998. This number will be available until January 9, 2015, for the purpose of inquiries on this incident only.

How is DBHDD notifying individuals whose PHI may have been compromised?
DBHDD has sent individual letters to clients (or their guardians) giving them information on how to request free credit reports, and request a free fraud alert on their credit report from federally-approved companies. DBHDD has provided a contact within the department for this information. Call 844-888-5998 (toll-free, open until January 9, 2015).

What measures are being taken to determine whether PHI has been stolen?
A law enforcement investigation into the theft is underway. DBHDD is also conducting an internal investigation into the incident. Additionally, there are security measures in place on the laptop which wipe the data and prevent access to the PHI if an unauthorized user attempts to access the internet.

How will the department protect data security in the future?
The nature of DBHDD services requires employees to work in the field and have access to client information while on-location. We cannot ensure that devices are never stolen, but the department is taking active steps to secure and protect patient information. This includes strengthening department policies and procedures related to PHI and increasing training on security awareness regarding DBHDD-issued laptops. The department is also working to ensure that all laptops are encrypted and that PHI can only be accessed using a virtual private network (VPN), so that no protected data is stored on a laptop.

FOR MORE INFORMATION:
Chris Bailey, Director of Communications
cdbailey1@dbhdd.ga.gov
(404) 463-7649