Wilcox reports possibility of identity theft; 130,000 Social Security numbers lost

October 20, 2005

By Andy Gross - The Garden Island


The Social Security numbers of 130,000 former and current Wilcox Memorial Hospital patients have been lost due to the disappearance of a back-up computer data drive, a hospital spokesperson said.

The drive was reported missing on Wednesday, Oct. 5, according to Lani Yukimura, marketing director for Wilcox Health (Wilcox Memorial Hospital and Kauai Medical Clinic).

The data refers only to hospital patients, and does not include medical information, but does include names, addresses, medical record numbers and, as mentioned, Social Security numbers.

The data file goes back 12 years, according to Yukimura.

Hospital officials are concerned about potential identity theft, should the computer drive, which is much smaller than a cellular telephone, fall into the wrong hands.

Yukimura said 130,000 letters dated Monday, Oct. 17, and signed by Kathy Clark RN, chief operating officer of Wilcox Memorial Hospital, have been sent out to patients whose information is lost and might be compromised.

Yukimura said no one is certain what happened to the backup data, which was stored on a "thumb drive."

She said Wilcox officials, un-like hospitals in California, are not required by law to divulge that the data is missing, but did so voluntarily to protect patients.

"We have no indication anyone has used this information. It is missing, and we want people to know about it," she said.

Yukimura said Kaua'i Police Department (KPD) officers have been contacted, and an in-house investigation is also proceeding.

Yukimura said the data on the drive was not encrypted, and is readable with Adobe Acrobat Reader.

"While our systems are extremely secure, our employees are trained and we have procedures in place, this incident showed us that we need to have clearer policies on both encryption as well as access to back-up data," she said.

"We have discontinued the use of thumb drives for this type of information storage."

The thumb drive is the world's first and smallest portable storage drive. It plugs directly into the USB port of any computer, and can store virtually any digital data from documents and presentations, and can fit on a key chain or in a pocket, according to Internet information.

Hawaii Pacific Health (HPH) Information Security and Privacy Officer David Fox said hospital leaders are still considering whether or not they would contact FBI officials. He said HPH and Wilcox officials were still weighing liability issues, and other authorities they might be obligated to contact.

HPH is the parent organization of Wilcox Memorial Hospital and the Kauai Medical Clinic. No KMC data has been breached.

Fox said Wilcox officials waited 12 days from the discovery of the drive being missing to the issuance of the letters in order to make sure the thumb drive was in fact missing, so as to not unduly alarm patients in the event the drive was found.

"We didn't want to sit on it any longer based upon the respect we have for the patients, and the risk it could potentially create," he said.

Yukimura said hospital officials would not reveal what department this occurred in, or who was in charge.

"It is inappropriate to comment on the specifics related to any individuals that may be involved. What we can say is that our ongoing internal review and work with KPD has not turned up anything."

Yukimura said the thumb drive is usually stored in a secure area.

"It was also being used within that secure area, and the discovery that it was missing was also made within that secure area," Yukimura said.

"We sincerely regret that this incident occurred, and we are doing everything we can to remedy the situation," she continued.

"We are letting people know because we feel they should be made aware of the possibility that the information can be misused. We have no indication that the information has been or will be misused, and we're still hoping that the missing drive will be located."

In her letter, Clark wrote: "We take information security and the responsibility of protecting our patient information seriously. We have many safeguards and processes in place, however this incident has prompted us to take even further precautions and protective measures."

[an error occurred while processing this directive]