[Dataloss] Hospital laptop walks away during disaster drill, patient data back to 2000 does, too

Fri Aug 4 19:10:39 EDT 2006

[Production data during testing?  Auditors LOVE that one.  HIPAA, you  
say?]

 From http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/ 
20060802/BUSINESS/60802004

Stolen hospital laptop had patient data dating back to 2000

By Irwin M. Goldberg

A computer containing personal identification information of 257,800  
Vassar Brothers Medical Center patients was stolen in June, hospital  
officials said.

The laptop computer was taken from the emergency department sometime  
between June 23 and June 26. It contained information on hospital  
patients dating back to 2000, but only had personally identifying  
information such as Social Security
numbers and dates of birth for 257,800, officials said during a  
conference call with the Journal. The center notified those patients  
with a letter dated July 17, though some people didn't receive the  
letter until Tuesday.

According to the letter, a copy of which was obtained by the Journal,  
the computer was password protected and there is "no evidence that  
the hard drive has been inappropriately accessed.''

Doug Murphy, a Wappingers resident, said he and his wife received the  
letter Tuesday.

"Why did it take two weeks to get to me'' and "Why are Social  
Security numbers on laptops; shouldn't they be on a hard drive in  
someone's office, not a laptop where someone can walk out the door  
with it?'' he asked.

The laptop was used as part of a disaster drill May 21 and had the  
hospital's master patient index on it, said Florie Munroe, chief  
compliance officer for Vassar Brothers. It was one of several  
machines throughout the hospital that had this
data downloaded as part of the drill, she said.

The thought was that in a disaster, the hospital would need to  
function without access to its network, spokeswoman Jeanine Agnolet  
said.

Since the theft was reported June 26, the data on the other machines  
has been erased, said Dave Ping, vice president of strategic planning  
and business development.

The laptop computer is used to gather initial patient information at  
people's bedsides. It was secured by a cable lock to a mobile cart in  
the emergency department.

City and state police were notified of the theft June 26, Munroe said.

The computer has not been located, though security videotapes have  
been reviewed.

One reason for the delay in notifying patients was to make sure only  
those patients whose identities may have been compromised were sent a  
letter, Munroe said.

There were other names in the database, but they had no personally- 
identifying information associated with them. They may have had a  
medical data number or other incomplete data, she said.

"The 257,800 people contacted had personally identifying information  
(in the database) which pointed to individuals and could be misued,''  
she said.