Madrona patients may face ID theft

August 11, 2006

By Mary Lane Gallagher, The Bellingham Herald

Madrona Medical Group is asking thousands of patients to watch their credit reports after a former employee was charged with illegally downloading patient files onto his personal laptop computer.

Madrona officials don't believe the files were copied or used for identity theft, but they sent letters this week to more than 6,000 patients anyway, asking them to take steps to make sure no one uses the information illegally.

The records include patients' names, addresses, Social Security numbers and dates of birth.

"There is no evidence that this individual actually transferred information to any other source," said Dr. Erick Laine, CEO of Madrona Medical Group, a large multispecialty practice in Bellingham. But Madrona officials are required by law to let patients know of the security breach, he said.

Madrona officials said they called Bellingham Police as soon as they discovered the unauthorized computer activity back in December.

Former Madrona Medical Group employee Timothy R. Kiel was arrested June 8 and faces trial Sept. 19 on first- and second-degree computer trespass charges. Whatcom County prosecutors say Kiel downloaded onto his personal computer patient records, proprietary software, licensing keys and other data Dec. 17, 2005.

Kiel resigned from the company Dec. 20, prosecutors say, but continued to use his laptop to connect to Madrona's servers more than 50 times between Dec. 26, 2005, and Jan. 15, 2006.

For example, prosecutors say, Kiel on Jan. 13 used a stolen vendor account, his laptop and a high-speed Internet connection at his Lynden home to connect to Madrona's computer system. He deleted backup files, e-mail files belonging to Madrona's human resources director, and server log files to cover his tracks, prosecutors allege.

Neither Kiel nor his attorney could be reached for comment Thursday.

Madrona officials think Kiel wasn't actually looking for the patient files, which are mostly a set of lab results from January to March of 2005.

"We don't know precisely what his intentions were," Laine said. "All we know is that he, against authorization, downloaded Madrona records that included patients' information."

Though the security breach was discovered in December, Madrona officials didn't know exactly which files had been compromised until they could review the police report that arrived in mid-July, said Madrona spokesman Mark Johnson. Madrona officials are now more closely monitoring the few employees who have access to so many records, like Kiel did, Johnson said.

The practice already has "very sophisticated" computer security systems, Laine said.

"What we cannot secure ourselves against, unfortunately, are other people's actions," he said. "Illegal actions, in particular."

main page ATTRITION feedback