On October 10, 2013, the Legal Aid Society of San Mateo County, California sent out a letter notifying potential victims of a data breach suffered by the Society. As the letter states,
On the night of August 12, 2013, our office was burglarized and ten of our laptops were stolen. The stolen laptops were used by our attorneys to assist individuals in getting services. We believe that your personal information may have been stored on the stolen laptops. The personal information believed to be stored on the stolen laptops includes your name, Social Security number, date of birth, medical and health information.What makes this data breach particularly noteworthy is that, although it occurred at a legal aid organization, the information stolen reportedly included health information. The notice does not discuss how and why health information might have been collected and stored by LASSMC; it may relate to the Society's health advocacy services.
Beyond the immediate impact on the LASSMC clients and others whose stolen personal information may be misused, this incident serves as a reminder that even non-medical professionals may hold, and must keep safe, health information. Even where the formal privacy and security requirements of HIPAA may not directly apply, organizations may still need to comply with HIPAA's Business Associates rules as well as general consumer protection obligations. Attorneys in particular should be aware not only of these requirements, but of their ethical obligations to keep client information confidential, which may further be relevant in a data breach situation.
The California Attorney General's list of reported data breaches may be found here; the LACSSMC letter and information is at this link.
No comments:
Post a Comment