Thefts of Unencrypted Laptops Expose 7,000 Patients' Medical Data

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

In two recent cases, approximately 7,000 patients' personal and medical information may have been exposed as a result of two laptop thefts. 

The LSU Health New Orleans School of Medicine recently announced that the theft of a university-issued laptop from Dr. Christopher Roth, assistant professor of urology, may have exposed the protected health information of approximately 5,000 minor patients in Lousiana and Mississippi.

The laptop, which hasn't been recovered, was stolen from Dr. Roth's car sometime between the evening of July 16 and the morning of July 17, 2015.

The information potentially exposed includes patient names, birthdates, treatment dates, conditions, treatments and outcomes, lab test results, radiological and ultrasound images, medical record numbers, and diagnosis and treatment information. So financial information or Social Security numbers were exposed.

There's no backup of the data on the laptop, so it's not possible for LSU Health to determine exactly what information was on the laptop drive.

"It is unknown whether any specific patient's data were on the stolen laptop, however those patients the university suspects may have been affected will receive individual notification by mail, along with information about protecting against identity theft," LSU Health said in a statement [PDF].

All those affected are being offered a one-year subscription to a credit monitoring service. Patients of Dr. Roth between July 2009 and July 16, 2015 are advised to call either (504) 568-8672 or (844) 578-2656.

"LSU Health Science Center New Orleans' policy requires users of its SYSTEM IT infrastructure to take reasonable care to avoid allowing unauthorized access to or disclosure of protected and restricted information stored on a mobile device and prohibits users from leaving SYSTEM-owned mobile device unattended," LSU Health stated. "The policy was not adhered to in this instance, and appropriate disciplinary action will be taken at the conclusion of the investigation."

The university is also reviewing its information security policies to determine if improvements can be made to reduce the risk of a similar breach happening in the future.

Separately, Dr. Max M. Bayard of St. Albans, Vermont, recently notified 2,000 patients that their personal information may have been exposed when his offices were broken into on August 5, 2015, and a laptop and hard drive were stolen (h/t DataBreaches.net).

While the information held on the devices varied by person, it included patient names, Social Security numbers, birthdates, and other limited treatment-related information such as Medicare/Medicaid enrollment information, dates of treatment, types of treatment, and diagnoses.

All those affected are being offered one year of identity protection services from AllClear ID. Patients with questions are advised to contact (877) 615-3792.

"Immediately upon discovery of the theft, we changed the firewall password, and changed all software-related, login, and email account passwords," Dr. Bayard wrote in a notification letter [PDF] to those affected.

"We are also taking addition steps to prevent this type of event from occurring in the future, including installing security cameras, securing the computers in a safe when not in use, encrypting all computers, and reviewing our policies and procedures for the secure storage of personal information," Dr. Bayard added. "Our staff is being trained on these additional safeguards."

Recent eSecurity Planet articles have examined the importance of offering security training to employees and offered six tips for stronger encryption.