LGH physicians' records stolen

July 28, 2006

By Cindy Stauffer, Lancaster New Era


A computer with personal information about hundreds of local physicians was stolen last month from an office at Lancaster General Hospital.

LGH sent a letter to the affected physicians. homes 11 days later, informing them of the June 10 theft from the Duke Street hospital and advising them to be .extra vigilant in monitoring for signs of potential identity theft..

The theft is the latest of numerous heists of computers holding personal identification both here and across the nation.

Last week, Armstrong World Industries sent a letter to about 12,000 current and former employees, informing them of the theft of a laptop that contained personal information about them. In May, federal officials reported the theft of a laptop with personal information about 26.5 million veterans and military personnel.

In the Lancaster General case, the thief took a free-standing personal computer that stored the names, practice addresses and Social Security numbers of physicians on its medical and dental staff. The computer did not have financial information or any health records, said the letter, provided by a source to the New Era.

John Lines, LGH spokesman, declined today to provide the number of physicians who received the letter.

He did say about 40 physicians contacted the hospital after receiving the letter, to ask for more details about the computer and the theft.

The Dell computer was stolen from a locked office on a Saturday. The office is on the first floor of the hospital, in an area not easily accessed by the public, Lines said.

Lancaster City Police are still investigating the theft, he said.

The data stored on the computer was not encrypted, or encoded to disguise the information, Lines said.

He said the thief would have to look hard to find the data.

"It would be among thousands of files on that desktop computer, in a file with an unspecific name. You would have to know what you're looking for to find this file," he said. "It's not a file that says, "Social Security numbers, click here.. "

Hospital officials do not think the thief took the computer because it contained the personal information, Lines said.

The hospital waited 11 days to inform physicians about the theft because officials did not know exactly what data was on the stolen computer, he said.

The data was used to .verify professional accreditation educational backgrounds. as part of the hospital.s process of granting credentials to its medical staff, according to the letter.

The hospital in the letter advised doctors to review bank statements, credit card statements and other statements relating to financial transactions.

Computer security analyst Peter Lindstrom today said security breaches like this one are not a recent or unusual phenomenon.

The problem, he said, is that businesses and other entities still use Social Security numbers as a way to authenticate someone's identity. The numbers are easily available and not a good way to do that, he said.

"The SSN is not a secret as often as we want it to be," said Lindstrom, a security analyst with Spire Security in Malvern. "It's impossible to close that Pandora's Box."

More employers and businesses must and will begin encrypting sensitive data to protect it, he said.

"It's not easy," he noted, "it's not a snap-your-fingers type of solution, but it is possible. Within five years, everything of value will be encrypted."

main page ATTRITION feedback