July 25, 2019
The Department of Behavioral Health and Intellectual disAbility Services announced today that close to 1500 of its clients are being notified of a privacy breach. It occurred in the Division of Intellectual disAbility Services (“IDS”), within DBHIDS. This division coordinates and administers services for 15,487 individuals with intellectual disabilities in Philadelphia, including home and community habilitation, adaptive equipment, behavior and other therapies, and residential, respite, employment, and day services.
On May 24, 2019, DBHIDS learned that an IDS employee lost a briefcase on public transit earlier that day, which contained a laptop that was password protected but not encrypted. Although police and public transit customer service were immediately contacted, DBHIDS was not able to recover the laptop. To determine the scope of information that may have been compromised, DBHIDS and the City’s Information Security Group conducted a forensic review. The review confirmed that, after the laptop was lost, there was no unauthorized access to DBHIDS client records stored in secure web-based systems. Most of the work performed on this laptop was saved in those secure systems; however, forensic review identified additional files that were likely saved on the laptop’s hard drive, such as backup copies of status reports and internal tracking spreadsheets. The files contained personal information of 1,458 IDS clients, including: name, date of birth, MCI number (a unique client identifier for PA-DHS social services benefits), service provider name, and information about Medicaid waiver services the client applied for or was receiving. The data did NOT contain social security or credit/bank account numbers.
“We take our obligation to protect the privacy of the people that we serve very seriously,” said David T. Jones, Commissioner of the Department of Behavioral Health and Intellectual disAbility Services. “Once we learned about the lost laptop within our Intellectual disAbility division, we immediately implemented actions to inform anyone who may have been impacted, provided additional training to our workforce and implemented additional controls to prevent this type of incident from occurring in the future. We deeply regret and apologize for any concern or inconvenience this situation may cause to the people and families that we serve.”
DBHIDS has not received information indicating that any client’s data has been viewed or misused in any way. However, since DBHIDS has been unable to rule out the possibility that data was accessible to unauthorized persons after the laptop was lost, DBHIDS is notifying all clients whose information could have been saved on the laptop. DBHIDS encourages all individuals to routinely remain vigilant against incidents of identity theft and fraud by regularly reviewing bank account and credit card statements and monitoring health insurance explanation of benefits forms for suspicious activity. As an extra precaution, DBHIDS is providing one year of complimentary credit monitoring and identity protection services to affected clients.
As a result of this incident, DBHIDS has taken corrective actions including ensuring that all laptops currently in use by DBHIDS are encrypted, providing additional training to its workforce, and continuing to review its practices and implement additional controls to prevent this type of incident from occurring in the future.
DBHIDS clients with questions or concerns can call its toll-free call center at 888-884-0180.
David T. Jones
Jill Bowen, Ph.D.