U.S. Healthworks, an urgent care and occupational health service provider, has begun notifying patients of a possible data breach after an unencrypted laptop issued to one of its employees was stolen. According to the company's breach notification letter:
"On April 22, 2015, we learned that a laptop issued to one of our employees had been stolen from the employee’s vehicle the night before. The theft was immediately reported to law enforcement, and we immediately began an internal investigation. On May 5, 2015, we determined that the employee’s laptop was password protected, but it was not encrypted."
The letter goes on to explain that the laptop, which may have contained personally identifiable information, including name, address, date of birth, job title, and Social Security Number, has still not been located. As a precautionary measure, U.S. Healthworks will be offering a free year of Experian's ProtectMyID Alert identification protection services to all individuals who may have been affected by the breach.
The company has also pledged itself to "enhancing [its] procedures related to deployment of laptops and full disk encryption" and to conducting audits that will help to ensure compliance with its laptop encryption policy. News of this breach comes just a few weeks after Heartland Payment Systems suffered a data breach when their offices in Santa Ana, California experienced a break-in. According to the breach notification letter, "Many items, including password protected computers belonging to Heartland were stolen," a statement which Forbes has interpreted to mean that its systems may also have not been encrypted.
"Heartland continues to monitor the situation carefully and has increased its internal security and review procedures to watch for any unusual activity," Heartland's notice goes on to explain.
U.S. Healthworks, which is headquartered in Valencia, California and which has nearly 200 clinics located in 19 states, is the latest healthcare organization to report a data breach. It joins CareFirst BlueCross BlueShield and three hospitals based in Bergen County, New Jersey, which all reported breaches at the end of last month.