AHMC Healthcare Inc. and affiliated Hospitals

Two unencrypted laptop computers containing the protected health information (PHI) of 729,000 individuals were stolen from a secure office on October 23, 2013. The types of PHI involved in the breach included financial information, diagnoses, conditions, treatment information, and demographic information. The covered entity (CE), AHMC, provided breach notification to HHS, affected individuals, and the media. Following the breach, the CE implemented and maintained an encryption plan. It also developed policies and procedures regarding access to and receipt and removal of electronic PHI (ePHI). It also improved safeguards to reduce risks and vulnerabilities to ePHI. As a result of this investigation, OCR provided technical assistance to the CE regarding its obligations to implement and maintain policies and procedures that comply with the Privacy and Security Rules, conduct an accurate and thorough risk analysis, and implement a risk management plan. OCR also provided technical assistance regarding encryption.
Location of breached information: Laptop
Business associate present: No