Sutter Lakeside Hospital (SLH) reported Monday that a laptop computer containing personal and medical information of approximately 45,000 former patients, employees and physicians has been stolen from the residence of a contractor. It has not been recovered.
The information, dating from 2005 and earlier, was to be transferred from one secure system to another as part of an equipment upgrade, but the contractor went against hospital policy by downloading the information onto the laptop's hard drive.
The hospital, upon learning of the misuse of the laptop, discontinued a business relationship with the contractor, who was not an employee of SLH, but was hired for a special project in the IT department, according to Marketing and Communications Manager Mitch Proaps.
"We don't have any information that any of the data has been accessed or used," Proaps said.
The contractor was authorized, as are all SLH contractors, to work on the information through a virtual private network. Some data was being transferred for a radiology system upgrade, Proaps said.
"Where the misuse occurred was where the contractor downloaded the information to the hard drive of the laptop, so that it was out of hospital control and vulnerable to theft," Proaps said. The contractor was not authorized to transmit the data to the laptop's hard drive.
The patient information on the laptop primarily includes names, addresses, phone numbers, dates of birth and social security numbers, officials said. For a small number of patients, billing and diagnosis information was also included.
The laptop was password protected, which would make it difficult but not impossible to access stored information. The approximately 45,000 people whose information was made vulnerable have been notified via mail, hospital officials said.
"We are taking this incident very seriously and are deeply concerned about protecting the private information of our patients, employees and physicians," Sutter Lakeside CEO Kelly Mather said. "We are fully cooperating with law enforcement in hopes of retrieving the stolen laptop."
"We work in an environment where protecting individuals' information is absolutely as important as providing quality service and care. Storing this type of information on a laptop hard drive is at variance with our organization's strict policies," Mather said.
"To reinforce a secure data environment this day forward, we already have taken aggressive steps to provide additional training to our managers, to conduct audits of all portable computer devices and to re-evaluate our policies and procedures where appropriate. Additionally, we have ordered the latest encryption software and will be installing it on our computer devices," Mather said.
Proaps said the audit did not "find any others" who misused laptops. He said 15 SLH employees about three percent of SLH's approximately 450 employees, have access to a laptop belonging to SLH. He said this incident has never happened before.
"It is unfortunate that it did occur; most people are well aware of our policies and are trained on HIPA (Health Information Protection Act). They received training on legal and illegal handling of the PHI (Protected Health Information)," Proaps said.
He said the hospital is revisiting some of the policies and have retrained managers. By ordering the latest encryption software, Proaps said the information will be protected.
"Password protecting is useful, but it's still possible to get the information. With encryption, it is impossible," Proaps said.
On Nov. 18, the contractor reported the burglary of his residence to law enforcement listing the laptop as one item taken.
Hospital officials had no reason to suspect that the laptop contained confidential data until an internal review of archives confirmed the probability that the laptop contained personal information. Upon this discovery, the hospital immediately began taking steps to notify those whose information may have been involved and to establish a hotline for people with questions.