Missing Laptops, Drives Expose Thousands of Patients’ Medical Data

In three recent cases, lost or stolen laptops and hard drives may have exposed thousands of patients’ protected health information (PHI).

New York’s St. Luke’s Cornwall Hospital (SLCH) recently announced that a USB drive was stolen from a restricted area of the hospital on October 31, 2015, resulting in the potential exposure of some patients’ PHI.

According to DataBreaches.net, a total of 29,156 patients are affected. The information exposed may include names, medical record numbers, dates of service, types of imaging services received, and administrative information for internal business use.

All those affected are being offered one free year of identity theft recovery services from ID Experts.

“SLCH values the privacy and security of its patients’ information and is taking steps to prevent this type of event from happening in the future, including requiring password and encryption protection for all of its USB thumb drives, and the implementation of new systems that do not require the use of thumb drives or other mobile media devices,” the hospital said in a statement.

Similarly, Indiana University Health Arnett Hospital recently announced that on November 20, 2015, the hospital determined that an unencrypted portable storage device was missing from the hospital’s Emergency Department.

The device contained spreadsheets with information on Emergency Department visits between November 1, 2014 and November 20, 2015, including patient names, birthdates, ages, home phone numbers, medical record numbers, dates of service, diagnoses and treating physicians.

SC Magazine reports that a total of 29,324 patients are affected.

“IU Health Arnett takes very seriously its obligation to maintain patient information secure, and we appreciate the trust our patients place in us,” the hospital said in a statement. “We are taking steps to enhance the protection of portable storage devices and are reviewing policies and procedures to minimize the chance of such an incident occurring in the future.”

And HealthSouth Rehabilitation Hospital of Round Rock, Texas, previously Reliant Rehabilitation Hospital Central Texas, recently announced that an unencrypted laptop containing PHI was stolen from the trunk of an employee’s vehicle on or around October 21, 2015.

The laptop held patient names, addresses, birthdates, Social Security numbers, phone numbers, insurance numbers, diagnoses, referral ID numbers and/or medical record numbers.

1,359 patients are potentially affected.

“The hospital was recently acquired by an affiliate of HealthSouth on Oct. 1, 2015,” HealthSouth said in a statement. “While it is HealthSouth’s policy to encrypt all laptops, the laptop at issue which was used at the Reliant hospital prior to the acquisition was not encrypted. As part of HealthSouth’s post-acquisition integration process, all Reliant laptops were required to be returned and exchanged for encrypted HealthSouth laptops. The Reliant laptop at issue, however, was stolen before being returned to HealthSouth.”

Last year, an IANS survey of 100 information security influencers and decision makers, sponsored by Vormetric, found that fully 84 percent of respondents had considered a security strategy of encrypted all data. Their reasons for doing so included preventing data breaches (66 percent), fulfilling compliance or audit mandates (54 percent), and protecting financial and other assets (53 percent).

Recent eSecurity Planet articles have offered six tips for stronger encryption and examined the importance of providing security awareness training to employees.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles