[Dataloss] Hospital laptop walks away during disaster drill, patient data back to 2000 does, too
Chris Walsh
cwalsh at cwalsh.org
Fri Aug 4 19:10:39 EDT 2006
[Production data during testing? Auditors LOVE that one. HIPAA, you
say?]
From http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/
20060802/BUSINESS/60802004
Stolen hospital laptop had patient data dating back to 2000
By Irwin M. Goldberg
A computer containing personal identification information of 257,800
Vassar Brothers Medical Center patients was stolen in June, hospital
officials said.
The laptop computer was taken from the emergency department sometime
between June 23 and June 26. It contained information on hospital
patients dating back to 2000, but only had personally identifying
information such as Social Security
numbers and dates of birth for 257,800, officials said during a
conference call with the Journal. The center notified those patients
with a letter dated July 17, though some people didn't receive the
letter until Tuesday.
According to the letter, a copy of which was obtained by the Journal,
the computer was password protected and there is "no evidence that
the hard drive has been inappropriately accessed.''
Doug Murphy, a Wappingers resident, said he and his wife received the
letter Tuesday.
"Why did it take two weeks to get to me'' and "Why are Social
Security numbers on laptops; shouldn't they be on a hard drive in
someone's office, not a laptop where someone can walk out the door
with it?'' he asked.
The laptop was used as part of a disaster drill May 21 and had the
hospital's master patient index on it, said Florie Munroe, chief
compliance officer for Vassar Brothers. It was one of several
machines throughout the hospital that had this
data downloaded as part of the drill, she said.
The thought was that in a disaster, the hospital would need to
function without access to its network, spokeswoman Jeanine Agnolet
said.
Since the theft was reported June 26, the data on the other machines
has been erased, said Dave Ping, vice president of strategic planning
and business development.
The laptop computer is used to gather initial patient information at
people's bedsides. It was secured by a cable lock to a mobile cart in
the emergency department.
City and state police were notified of the theft June 26, Munroe said.
The computer has not been located, though security videotapes have
been reviewed.
One reason for the delay in notifying patients was to make sure only
those patients whose identities may have been compromised were sent a
letter, Munroe said.
There were other names in the database, but they had no personally-
identifying information associated with them. They may have had a
medical data number or other incomplete data, she said.
"The 257,800 people contacted had personally identifying information
(in the database) which pointed to individuals and could be misued,''
she said.
More information about the Dataloss
mailing list