Facts and Background
Industry sector: Professional Services (Accounting)
Total affected individuals: 125,000
Referral method: Commercial policyholder of our insurance company client
When an employee laptop was stolen during an audit for several large regional hospitals, a small accounting firm contacted Identity Theft 911 to determine the potential for a beach incident and the required actions. The audit included review of billing and other information on hospital patients over the last several years. These electronic records contained personally identifiable information (PII) including names, addresses, social security numbers, account numbers, dates of birth, and possibly some protected health information (PHI) including prescription information, procedures and diagnostic codes. Information was stored electronically on both the office desktop computers as well as on a laptop computer provided to a new employee. None of the electronic records or data containing either PII or PHI was encrypted, but the laptop computer itself was password protected.
The new employee took the laptop home with her to do work over the weekend. On the way home the new employee stopped at a shopping center to run some errands. When she returned, the back window of her vehicle was broken and her briefcase containing her company issued laptop was missing. The accounting firm reached out to its commercial insurance provider for possible assistance.
First, Identity Theft 911 worked with the affected firm to determine what level of protection the password protection afforded the laptop. The model number laptop was obtained from the firm. A quick and thorough analysis by our forensic expert indicated that with the laptop model in question, simply removing the hard-drive and installing it into the same model laptop would allow unencumbered access to the contents of that hard-drive by bypassing the password protection on the laptop. A determination was made by the accounting firm that there was in fact an affirmative duty to notify the affected institutions and their individuals, due to the lack of security on the laptop and the fact that no information contained on the lost laptop was stored in an encrypted format.
While the firm’s insurance policy, under which Identity Theft 911 was to provide consulting services, did not cover the costs of notification mailing, or credit/fraud monitoring service, etc., Identity Theft 911 did work with the firm on their notification letter. In the end, the firm was able to defer most of the hard costs regarding consulting on the breach, the forensic opinion, notification requirements and actual notification and was able to remain in business.
Final notification was made to the affected class of individuals by each client hospital affected by the accounting firm’s breaches. Identity Theft 911 provided notification templates. Identity Theft 911 also worked with both the accounting firm and its client hospitals on the content of letter and overall breach handling. In the end, the hospitals themselves provided notification to the affected patients letting them know what occurred. Identity Theft 911 assisted the client in understanding its obligations and options regarding the most cost effective manner of dealing with the situation while still remaining in business.
© 2003-2012 IDentity Theft 911, LLC. All Rights Reserved