[ISN] Thief nabs backup data on 365,000 patients

[InfoSec News]

http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,108101,00.html

By Todd R. Weiss 
JANUARY 26, 2006 
COMPUTERWORLD

About 365,000 hospice and home health care patients in Oregon and 
Washington are being notified about the theft of computer backup data 
disks and tapes late last month that included personal information and 
confidential medical records. 

In an announcement [1] yesterday, Providence Home Services, a division
of Seattle-based Providence Health Systems, said the records and other
data were on several disks and tapes stolen from the car of a
Providence employee at his home. The incident was reported by the
employee on Dec. 31, according to the health care system.

The tapes and disks were taken home by the employee as part of a 
backup protocol that sent them off-site to protect them against loss 
from fires or other disasters. That practice, which was only used by 
the home health care division of the hospital system, has since been 
stopped, said health system spokesman Gary Walker. 

"This was only done in one area of the company," Walker said. "It did 
not involve the hospital's database [of patients]....That one part of 
the company was sending data home off-site. But we should have 
reviewed the policy." 

The data on the tapes was encrypted, Walker said, and the data on the 
disks was in a proprietary file format that was not encrypted, but "is 
stored in a way that would make it difficult, if not impossible, for 
someone to access it, then make any sense out of it." 

 From now on, all data will be made secure using additional 
technologies, according to Walker. "We are encrypting all the material 
we can encrypt now," as the health care system reviews all of its 
procedures and security, he said. "We are sorry that this happened and 
we don't want it to happen again." 

Providence officials said there have been no reports that any of the 
stolen information has been used improperly since the incident. 

Providence is notifying affected patients by mail about the theft. The 
information on the disks and tapes included names, addresses, dates of 
birth, physicians’ names, insurance data, diagnoses, prescriptions and 
some lab results. For approximately 250,000 of the patients, Social 
Security numbers were on the records, according to the health system. 
Some of the records also included patient financial information. 

Rick Cagen, CEO of Providence's Portland service area, said new backup 
procedures are being implemented using more traditional IT means, 
including secure sites in remote locations for safety and redundancy. 
"We do have alternate practices now," Cagen said. 

The four-week delay in publicly announcing the theft was needed so 
Providence officials could recreate the stolen data and identify the 
patients who needed to be contacted, he said. The delay was also 
caused in part by the large number of records that had to be 
processed, he said. 

"We realize this is a major inconvenience and cause for real concern, 
and we deeply apologize to everyone affected by this incident," Cagen 
said. "Even though we have no indication that the thief has accessed 
the data, we are doing all we can to help our patients and employees 
protect their information." 

The incident is the second data theft from a motor vehicle announced 
this week. Yesterday, Minneapolis-based financial services company 
Ameriprise Financial Inc. said it is notifying some 158,000 customers 
and 68,000 financial advisers that a laptop containing personal 
information about them -- including names, account numbers or Social 
Security numbers -- was stolen from a parked car late last month (see 
"Ameriprise notifying 226,000 customers, advisers of data theft" [2]). 

[1] http://www.providence.org/oregon/hcs/newsrelease.htm
[2] http://www.computerworld.com/securitytopics/security/story/0,10801,108071,00.html