shutterstock_1663900564_smaller

Home Health Care Policies: What Happens after a Data Breach?

Posted by Nathan Hope on Oct 5, 2015

Home Health Care Policies - Homecare Software- Amedisys, Inc., a Louisiana-based home health provider had their data breached and went through the process of notifying federal and state agencies- a requirement by law.

stethoscope-keyboard_163751742

Amedisys conducted a risk management process to locate approximately 142 encrypted computers/laptops that were apparently in the possession of former employees and contained sensitive patient information. While there have been no actual reported instances of data abuse, it cannot rule out unauthorized patient access via the devices and the breach must be reported in accordance with healthcare information privacy regulations.

The agency wrote a letter to its patients:

“An Amedisys inventory has shown that a laptop or computer used in connection with the home healthcare Amedisys provided to you has not been located within the Amedisys system. Our records indicate that this device was originally assigned to a licensed clinician or other Amedisys team member as of [DATE]. The computer at issue contained your medical records, including Social Security number, date of birth and Medicaid/Medicare number.

There is no evidence that your information was inappropriately used, and we have received no reports of any hacking, fraud, or identity theft. However, as required by law and out of an abundance of caution for our patients, we are providing notice to all patients whose information was on devices that we have not been able to reconcile as of the February 23, 2015 completion of our inventory process.”

The computers were originally assigned to Amedisys caregivers and many of them were unaccounted for after the designated employees left the agency. Amedisys claims that their devices are “robustly protected” with 256-bit encryption but does not offer any additional details regarding their security practices.

Amedisys has offered one-year subscriptions to identity theft protection services to all potentially impacted customers and has also hired a technology consulting service to further assess and enhance the security of their health information network, as well as the inventory system used to track their equipment.

Currently, regulatory authorities such as U.S. Department of Health and Human Services are reviewing the current situation and the implications of local and federal laws.

At MyHomecareBiz.com, patient information security is paramount. If you’re concerned about the integrity of your agency’s information security practices, we are always available to assess your situation and provide you will valuable information to ensure your agency is in full compliance with security regulations.