A computer stolen from the University of Tennessee Medical Center's West Knoxville billing office contained names and other information for 3,800 people who received treatment at UTMC in 2003, the medical center announced Monday. The hard drive on the laptop computer, stolen Aug. 25, contained patient names, Social Security numbers and birthdates, but no medical information. Though the data was protected by a password, the medical center on Oct. 21 sent letters to people whose information was believed to be on the stolen computer.
Tennessee law requires state agencies and their contractors to password-encrypt sensitive data, and federal law requires companies to notify consumers when personal data might have been compromised.
"We have no evidence your information has been misused," said UTMC Compliance Officer Gary Thomas in the letter. "In fact, the data stored on the computer was protected by a password, and we believe it is unlikely that the data will be accessed by a third party. Nevertheless, since it is possible that someone with the necessary computer skills could view this data, we decided to inform you of the theft because we are concerned about your privacy and personal credit."
The theft was reported to the Knox County Sheriff's Office on Aug. 26. Asked why the medical center didn't inform affected patients of the theft for almost two months, hospital spokeswoman Lisa McNeal said it took UTMC's computer systems and finance departments several weeks to recreate the database to determine what names and data were on it. McNeal said the laptop was used only in the billing office and on the UTMC campus.
The theft was also reported to the three national credit-reporting bureaus, as required by law. Still, in the letters, Thomas advised affected patients to file a "fraud alert" with one of the bureaus. Such an alert asks creditors to contact the person before opening or changing accounts.
Thomas also advised that patients request copies of their credit reports and review them for "suspicious activity, like inquiries from companies you didn't contact, accounts you didn't open, and debts on your accounts that you can't explain." Those with such activity, or whose personal information had been altered, should file police reports, he said.
[an error occurred while processing this directive]