The laptop, belonging to Dr. Sunil Kakar, was taken on Feb. 4 in Gig Harbor, and was recovered in a pawn shop by Gig Harbor Police on Feb. 14, the DSHS said.
The patients whose information may have been compromised are clients of the Department’s Economic Services Administration. Depending on the services rendered, the personal data could include client names; identification numbers; psychological evaluations, including notes and reports with diagnoses; dates of birth; the last four digits of Social Security numbers; dates of services; and addresses.
“All 652 clients have been notified of the potential breach of their confidential information and steps they can take to protect themselves from identity theft in the event that information had been compromised,” the agency said.
The good news is that security measures, including password protection, were in place, and there is no evidence that the files were accessed by unauthorized people or used for identity theft.
"We are unable to determine whether the data was accessed or further copied or disclosed,” said Kakar, in the letter published by the DSHS on its website, which went out to the 652 clients. “While there is no information to show that the stolen data has been accessed or used for identity theft, I am erring on the side of caution and notifying every person who might be affected.”
He added, "I am extremely sorry for this situation and understand it may cause concern, embarrassment and inconvenience. I try very hard to earn your trust, and that includes protecting sensitive information about you. I take client confidentiality very seriously."
DSHS is encouraging the potential victims to contact the fraud departments of any one of the three major credit bureaus (Equifax, Experian or Trans Union) to have a fraud alert placed on file and to request a copy of credit reports to see if any unauthorized charges have been made. If there are fraudulent charges, consumers should confirm them with the business in question and file a police report. Meanwhile, users should freeze credit reports to stop criminals from obtaining a loan in someone else’s name.
Healthcare breaches are on the rise, and more often than not are the result of misplaced or stolen laptops and USB sticks. A study last autumn by the Ponemon Institute found that most hospitals (94%) have experienced data breaches over the past two years. But almost half of them (45%) have seen, staggeringly, more than five data breaches at their organization this year. That’s compared to only 29% with more than five data breaches in 2010. Equipment loss accounted for 46% of the breaches last year.
Thankfully, encryption for files is mandated in healthcare privacy policies and regulations, and healthcare providers face hefty fines for not complying. Nonetheless, the impact of all of that data leakage is striking and escalating as well: the average breach cost $2.4 million in the 2012 Ponemon study – up from $2.1 million last year and $400,000 in 2010's study.