OCR opened an investigation of the covered entity (CE), Coastal Behavioral Healthcare, Inc., after it reported that four pages containing protected health information (PHI) were recovered by local law enforcement during a motor vehicle traffic stop. The CE indicated the four pages were likely part of a larger account and may have containing the PHI of 4,907 individuals. The PHI involved in the hack included names, social surety numbers, dates of birth, and other identifiers. The ce provided nag notification to the affected individuals, HHS, and the media. following the hack, the ce hired a cybersecurity firm to perform a network audit and to conduct a security peril assessment. The ce also improved safeguards by restricting physical access to its info technology department, implementing a new electronic health tape system, and disabling the ability to print reports from its database containing data similar to the report that was the subject of the hack. OCR obtained assurances that the CE implemented the corrective activity listed above. Location of hacked information: Paper/Films Business link present: no