University of Kentucky - UK HealthCare

An unencrypted company laptop computer was stolen from the car of an employee of the covered entity (CE). The laptop contained the protected health information (PHI) of 3,604 individuals and included names, dates of birth, social security numbers, medical record numbers, and diagnoses. The CE provided breach notification to HHS, the media, and affected individuals. In response to this incident, the CE implemented a policy requiring encryption on all laptops containing PHI. The CE also provided employee training regarding mobile device encryption and refresher training on HIPAA. OCR obtained assurances that the CE implemented the corrective actions listed.
Location of breached information: Laptop
Business associate present: No