Found computer drive had Mercy patient data on it

September 15, 2006

By Carol Reiter

A computer memory card with 295 patient names, Social Security numbers, birthdates and medical record numbers was lost by a Mercy Medical Center Merced employee and found months after the card was created.

Because of the possibility that someone could have accessed the unencrypted small memory card, all of the patients were notified Wednesday by certified mail that their privacy may have been invaded. Only one patient's actual medical record was on the card.

Robert McLaughlin, spokesman for Mercy, said the card was created in 2005 when computer files of Mercy's two campuses, Dominican and Community, were being combined into a new computer database.

The employee, who worked in the information technology department of Mercy, created the card to find out what the best way to access patient records was: by name, date of birth or Social Security number.

"We don't know why the memory stick was taken out of the hospital," McLaughlin said.

The employee doesn't know when the card was lost, he said. The last time the card was used was in September 2005.

On July 18, at the Merced County Fairgrounds, a local citizen found the card lying on the ground near the hospital's information booth at the fair. She took the card home, and didn't look at it for about four weeks, McLaughlin said.

When the woman who found the card did look at the information on the card, she realized that it was hospital information and immediately turned it into Mercy administration.

The hospital received the card on Aug. 18, and then spent weeks doing forensic testing on it, McLaughlin said.

"We verified all of the names and addresses, and matched them with current addresses," he said.

On Wednesday, most of the patients received certified letters saying that the incident may have exposed their personal information to an unintended audience.

The letter stated that the hospital will pay for enrollment in a credit monitoring service for one year. It also said that patients should contact one of the three major credit bureaus and have a fraud alert placed in their credit file.

McLaughlin said the hospital will pay for an Equifax Credit Watch Gold account, which monitors the person's credit file and alerts members to key changes. The patients also will receive unlimited credit reports for a year and $20,000 in identity theft protection.

Beth Givens, director for the Privacy Rights Clearing House, a nonprofit consumer advocate group, said whenever a Social Security number is compromised, it could lead to fraudulent applications for new credit accounts.

"If the memory stick got into the hands of a criminal, that criminal can use the data to apply for credit cards and cell phones," Givens said.

Because credit card companies are better at detecting fraudulent applications, it may take up to a year for a criminal to get access to a credit card or cell phone, she said.

Givens said everyone who received a letter from Mercy should use the fraud alerts at credit bureaus, and make sure they order their credit reports at least once in the next year.

"With a Social Security number, the possibilities are almost endless what a criminal can do," Givens said.

McLaughlin said the hospital has taken steps to make sure that no more memory cards are lost or misplaced.

The hospital has encrypted all of its computers, and all of the memory cards now being used are also encrypted. The card that was lost was not encrypted, McLaughlin said.

The hospital has also reinforced its policies and procedures as far as computer files are concerned, and the employee who lost the card was reprimanded.

"Our patients' personal information is so important and we are committed to protecting it," McLaughlin said. "We regret that this happened, and we are taking steps to make sure it never happens again."

main page ATTRITION feedback