Omnicell, Inc.

An electronic medication dispensing device was stolen from the locked car of an Omnicell employee. Omnicell is a business associate (BA) of the covered entity (CE), Sentara. The protected health information that was involved in the breach included patient names, birth dates, patient numbers, medical record numbers, and clinical information of 56,820 of the CE's patients. Breach notification was provided to HHS, the media and affected individuals. The BA represented to the CE that they had recently completed a risk analysis containing details of implemented administrative, physical and technical safeguards. The BA informed the CE that they have in place a security awareness and training program and provided information regarding its education of workforce members. As a result of OCR's investigation, OCR obtained an executive summary of the BA's risk analysis and a copy of the CE's most recent risk analysis. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA's use and disclosure of PHI and required the BA to safeguard all PHI.
Location of breached information: Laptop
Business associate present: Yes