Visionworks Inc.

The covered entity (CE), Visionworks Inc., mislaid a partially encrypted, decommissioned computer server from its in-store lab in Annapolis, Maryland which was not recovered. The server’s hard drive contained the unencrypted protected health information (PHI) of approximately 74,000 individuals. The PHI on the server contained demographic, financial, and clinical information. Following the breach, the CE fully encrypted all servers at all of their locations and replaced servers. The CE provided breach notification to HHS, affected individuals, and the media, and offered one year of free credit monitoring. The CE also sent letters to each State Attorney General and posted information on the CE’s website regarding the server incident. In addition, the CE re-trained workforce members, instituted new training requirements on privacy and security awareness, and provided refresher training on incident management. Following OCR’s investigation, the CE secured servers with cable locks and tested and installed a maximum security system that encrypts all hard drives on each server. Additionally, the CE completed a company-wide server inventory and hard drive destruction and performed a physical audit of all servers’ boxes. In addition, the CE created a comprehensive system disposal plan.
Location of breached information: Network Server
Business associate present: No