A second Maryland hospital has reported losing sensitive computerized data on tens of thousands of patients, raising another alarm about how consumer information is protected.
Up to 130,000 former and current patients at St. Mary's Hospital in Leonardtown have recently been notified that a laptop with personal information was stolen from the hospital in December. Just last week, Johns Hopkins officials reported the loss of thousands of employee and patient records.
Last seen Dec. 5 in St. Mary's emergency care center, the computer included the names, Social Security numbers and birth dates of patients who had been treated as long ago as 1989, said Christine Wray, the hospital's president and chief executive officer. The data did not include anyone's medical or financial information, but it also was not encrypted, so anyone can read it, she said.
The laptop, used to register patients as they came in for treatment, was taken from a treatment area that the public could generally access without a security check.
The hospital has contracted with National ID Recovery of Norcoss, Ga., a firm that specializes in identity theft cases, to help patients keep track of their personal information such as credit card usage patterns, she said. The service will be free to patients, and the hospital is paying the firm up to $425,000, she said.
At Hopkins, officials began notifying employees and hospital patients Feb. 7 that backup computer tapes containing Social Security numbers, addresses and direct-deposit bank account information had been missing for seven weeks. The data for the 52,567 former and current employees, misplaced by a courier, did not include medical information.
The courier also misplaced a separate tape from the hospital with names, dates of birth, sex, race and medical record numbers for 83,000 new hospital patients seen between July 4 and Dec. 18, 2006, or those who updated their information during that period.
Hopkins officials say they believe none of the data was compromised.
But those affected questioned recordkeeping practices at both hospitals.
"It's a little ridiculous that all this information is sitting on a laptop, waiting to be stolen. Why do they have information from that far back?" said Mark Smythe, 34, a former St. Mary's Hospital patient who received a letter notifying him of the laptop theft last week. He was treated for a twisted ankle at the hospital in the 1990s when he was a student at St. Mary's College.
He said someone fraudulently used his credit card account in December, but he has no way of knowing if it was related to the laptop theft.
The state Office of Health Care Quality, which regulates hospitals, is seeking information about the records in the Hopkins case before deciding whether to begin investigating the incident, said Wendy Kronmiller, the agency's director.
Kronmiller, who learned about the St. Mary's laptop theft yesterday from a reporter, said from what she could tell it wouldn't warrant an investigation by her staff.
"It wouldn't necessarily be something we'd find out about," she said. "What was lost wasn't information about people's diagnosis or medical histories. It can lead to horrible outcomes, but it's not really a match with all these laws designed to protect medical records."
Many states have laws requiring hospitals and other institutions to alert individuals if their Social Security or credit card numbers are stolen, but Maryland isn't one of them. Federal law also doesn't impose such requirements, said Linda Foley, executive director of the Identity Theft Resource Center in San Diego.
"In order to measure what's going on, you need to first have it reported somehow," said Lillie Coney, associate director of the Electronic Privacy Information Center in Washington.
Cases of hospitals losing records remain rare, experts say. Nonetheless, yesterday the Department of Veterans Affairs began notifying 1.8 million veterans and doctors that their personal and business information could be on a portable hard drive that has been missing from an Alabama hospital for nearly three weeks.
The hard drive may have contained Social Security numbers and other personal information from about 535,000 individuals and billing information on 1.3 million doctors nationwide, the VA said.
Nancy Fiedler, senior vice president of the Maryland Hospital Association, said to her knowledge those are the only two instances in recent years in which Maryland hospitals have lost personal information. "I don't think they're common by any means," she said.
St. Mary's Hospital was under no legal obligation to disclose the laptop theft, because no medical records were stolen, Wray said. But she and others on the hospital's staff felt it was necessary to give those potentially affected the chance to begin tracking their credit records and other personal information.
"We believe it was the right thing to do," Wray said.
The theft was first reported Feb. 7 by a weekly newspaper, The Enterprise.
Wray acknowledged that public notification could have been quicker. But she said the hospital alerted the St. Mary's County sheriff's office Dec. 8 and began looking for guidance on how to proceed before mailing 130,000 notices in late January. Finding the right identity theft consulting firm took time, she said.
"We've obviously never had to do this; it's never come up before," she said.
She said patient records go back to 1989, when the hospital began using the current computer system. The records help to ensure quality care for patients seen over the years at the 105-bed community hospital.
"Many patients come and see us more than just once," she said. By keeping patient records, the hospital is able to "go back to your file and keep up the continuity of care."
Laptops used to register patients are now bolted down, password protected and linked to the hospital mainframe computer so they can be disabled if they disappear, Wray said.
There's no evidence that personal information from the laptop has been used to obtain credit cards or steal anyone's identity, said Ron Logan, an executive with National ID Recovery.