14 DAY TRIAL // Spartanburg Regional, a South Carolina healthcare system, has been notifying 400,000 of current and former patients that their personal information was compromised when one of the organization's computers was stolen.
According to the healthcare provider, the theft occurred on March 29, 2011, when a desktop computer was stolen from an employee's car overnight.
"The employee was authorized to have possession of the computer. We have reported this to the proper authorities and an investigation is ongoing," Spartanburg Regional said.
The computer contained 400,000 patient records that included real names, addresses, dates of birth and medical billing codes. Spartanburg doesn't mention if the computer was password protected or if the data was encrypted.
The security rule of the Health Insurance Portability and Accountability Act (HIPAA), which protects medical records, states that encryption is optional if the data is stored on a closed system or network with adequate physical and technical protection.
However, the breach notification rule says that "individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach."
Considering the theft occurred at the end of March, Spartanburg might be in violation of the HIPAA provisions. However, given the unusually high number of letters that needed to be sent, the organization might have received an extension.
Spartanburg offers affected individuals a free subscription with an identity theft protection service provided by Kroll which includes credit monitoring, as well as identity theft consultation and restoration.
"We regret that this incident occurred. We encourage you to take advantage of these services, which are provided at no cost to you. If you have any questions at all, please call 1-855-401-2640, 9:00 a.m. to 6:00 p.m. (Easern Time), Monday through Friday," Spartanburg wrote in its letter.