McKesson: Stolen Computers Contain Patient Information

September 7, 2007

By Sharon Gaudin, InformationWeek

Health-care services company, McKesson, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office.

The company, which helps pharmaceutical manufacturers set up assistance programs for patients in need, sent out a letter alerting patients that the computers were stolen on July 18. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines.

"Your personal information may have been on one of the two computers that were stolen from a McKesson office," wrote Patrick Blake, president of McKesson Specialty Pharmaceutical, in the letter to one patient. "At this point, we have not determined if your personal information was on either stolen computer. However, we are taking the precaution of notifying every patient whose information might have been on the computers, just to be safe."

A spokesman for McKesson did not return phone calls requesting comment, but a company representative on the McKesson hotline said "thousands" of patients were affected and letters were sent to everyone who had at least a name on one of the machines. It's possible that identifying information, including addresses, prescribed medications, dosages, Social Security numbers, and dates of birth, also were contained on the computers. The loss appears to affect both current and former patients.

The company representative said it's not clear if the data on the machines was encrypted. Local police and the FBI have been called in on the investigation.

Blake's letter suggested that those contacted put a fraud alert on their credit files. The representative on the McKesson hotline said the company would give customers a year of free credit reporting if they requested it.

"We also have taken steps to ensure this doesn't happen again by increasing and improving employee understanding and awareness of corporate security policies and procedures, policies for handling patient data, and company security processes," wrote Blake. "We deeply regret that this incident occurred."

The hotline number is: 866-554-6366.

The impact of data theft is usually severe when health-care companies are involved. Earlier this year, a laptop was stolen from a secure office in a Texas hospital group, putting identifying information on 7,800 patients without health insurance at risk. The Seton Family of Hospitals reported in February that a security camera captured video of a thief carrying out a laptop and a projector. The laptop contained identifying personal information such as Social Security numbers, dates of birth, and insurance program numbers.

main page ATTRITION feedback