Stolen hospital laptop had patient data dating back to 2000

August 2, 2006

By Irwin M. Goldberg

A computer containing personal identification information of 257,800 Vassar Brothers Medical Center patients was stolen in June, hospital officials said.

The laptop computer was taken from the emergency department sometime between June 23 and June 26. It contained information on hospital patients dating back to 2000, but only had personally identifying information such as Social Security numbers and dates of birth for 257,800, officials said during a conference call with the Journal. The center notified those patients with a letter dated July 17, though some people didn't receive the letter until Tuesday.

According to the letter, a copy of which was obtained by the Journal, the computer was password protected and there is "no evidence that the hard drive has been inappropriately accessed.''

Doug Murphy, a Wappingers resident, said he and his wife received the letter Tuesday.

"Why did it take two weeks to get to me'' and "Why are Social Security numbers on laptops; shouldn't they be on a hard drive in someone's office, not a laptop where someone can walk out the door with it?'' he asked.

The laptop was used as part of a disaster drill May 21 and had the hospital's master patient index on it, said Florie Munroe, chief compliance officer for Vassar Brothers. It was one of several machines throughout the hospital that had this data downloaded as part of the drill, she said.

The thought was that in a disaster, the hospital would need to function without access to its network, spokeswoman Jeanine Agnolet said.

Since the theft was reported June 26, the data on the other machines has been erased, said Dave Ping, vice president of strategic planning and business development.

The laptop computer is used to gather initial patient information at people's bedsides. It was secured by a cable lock to a mobile cart in the emergency department.

City and state police were notified of the theft June 26, Munroe said.

The computer has not been located, though security videotapes have been reviewed.

One reason for the delay in notifying patients was to make sure only those patients whose identities may have been compromised were sent a letter, Munroe said.

There were other names in the database, but they had no personally-identifying information associated with them. They may have had a medical data number or other incomplete data, she said.

"The 257,800 people contacted had personally identifying information (in the database) which pointed to individuals and could be misued,'' she said.

main page ATTRITION feedback