A desktop computer containing the personal information of 5,783 Johns Hopkins Hospital patients was stolen in mid-July, hospital officials said.
Officials defended their decision to wait more than five weeks before informing the patients of the theft, saying they did not want to compromise the effort to recover the computer.
The hospital filed a police report two weeks after the theft but waited until Aug. 24 to start sending letters to patients to let them know that their personal information was missing. The computer included patients' names, Social Security numbers, birth dates and medical histories.
"We have no reason to believe any of the data has been misused," said Gary Stephenson, a hospital spokesman, adding that it was "highly likely" the computer was stolen for the value of its hardware.
Stephenson said recordings from video surveillance cameras led authorities to issue criminal summonses for a Hopkins employee and an employee of an on-site vendor. He didn't identify the two workers.
The hospital apologized to patients for "any inconvenience or worry caused by the theft." Stephenson said disclosing the incident earlier "might have sabotaged the effort" to find the computer, and that it took a while to reconstruct the list of patients in the missing database.
Such thefts are becoming more common in Maryland and around the country. Hopkins reported in February that it couldn't locate computer tapes containing personal information on 135,000 employees and patients.
In May 2006, a laptop containing the Social Security numbers of more than 26 million veterans and their spouses was stolen from the Aspen Hill home of a Department of Veterans Affairs employee.
A laptop with data on 130,000 former and current patents at St. Mary's Hospital in Leonardtown was stolen last May. And last weekend, a Maryland Department of the Environment laptop with personal records of 10,000 people was taken from an employee's car.
Linda Foley, founder of the Identity Theft Resource Center in San Francisco, conceded that determining whose personal information has been stolen can take time. But she said institutions should notify victims of information theft promptly.
"The sooner you can get fraud alerts out to the credit agencies, the better," she said.
Hopkins has set up a telephone hot line for those affected by the data breach. The hospital is also promising to help patients if their identities are stolen and has offered to pay for credit monitoring and counseling services for a year.