Over the past few weeks, several hospitals and medical centers have announced that stolen devices, including computers, laptops and mobile phones, exposed thousands of patients’ personal information.
It’s an ongoing problem that doesn’t show any signs of slowing down, despite growing awareness of the importance of encryption.
Senior Health Partners
On January 30, 2015, New York City’s Senior Health Partners (SHP), a subsidiary of Healthfirst, began notifying 2,700 of its members that their personal information may have been exposed when a laptop and mobile phone were stolen on November 26, 2014 from a nurse employed by SHP partner Premier Home Health.
Although the laptop was encrypted, the encryption key was in the computer bag with the laptop when it was stolen.
An email on the laptop contained an undisclosed number of patients’ names, addresses, Social Security numbers, Medicaid ID numbers, birthdates, phone numbers, medical services rendered, diagnoses, and health insurance claim numbers. All those affected are being offered one year of free credit monitoring services from AllClear ID.
“Senior Health Partners sincerely regrets that this incident occurred,” SHP said in a statement. “It takes the privacy and security of members’ health information very seriously and expects its vendors to do the same.”
Inland Empire Health Plan
California’s Inland Empire Health Plan (IEHP) recently began notifying 1,030 of its members that their personal information may have been exposed when an unencrypted desktop computer was stolen from the offices of IEHP provider Children’s Eyewear Sight on October 28, 2014 (h/t PHIprivacy.net).
The information potentially exposed includes patient names, IEHP member ID numbers, birthdates, mailing addresses, phone numbers and appointment dates.
“Children’s Eyewear Sight notified IEHP about the incident and are taking steps to secure any past, present and future data related to our Members,” IEHP stated in the notification letter [PDF].
St. Peter’s Health Partners
St. Peter’s Health Partners (SPHP) of Albany, New York, recently began notifying 5,117 of its patients that their personal information may have been exposed when a manager’s mobile phone, which had access to corporate email systems, was stolen in late November 2014 (h/t SC Magazine).
The Albany Business Review reports that the data potentially exposed includes scheduling information, including patient names and birthdates, along with the time, date and location of medical appointments, and the reasons for those appointments, for patients who scheduled appointments between August 2014 and November 2014. In two cases, the patients’ home addresses and phone numbers were also exposed.
Once the theft was discovered, the hospital was able to disconnect the mobile phone from the hospital’s network and wipe it remotely.
“While at this time we believe the risk is low that the data on these individuals was accessed, we are committed to doing all we can to protect each and every one of them,” SPHP Medical Associates CEO Donald Martin told the Albany Business Review.
Sunglo Home Health Services
Texas’ Sunglo Home Health Services recently acknowledged that thousands of its patients’ personal information may have been exposed when a burglar broke Sunglo’s office window with a fire extinguisher and stole a computer containing patients’ Social Security numbers and other personal information (h/t HealthITSecurity).
“We’re just worried about the safety of the patients themselves because of the information,” Sunglo IT director Steven Means told KRGV.
While the burglar has been arrested, the laptop has not been recovered.
Riverside County Regional Medical Center
On January 29, 2015, Riverside County Regional Medical Center (RCRMC) announced that an unencrypted laptop that was found to be missing on December 1, 2014 may have contained the personal information of opthamology and dermatology patients who received services at the hospital between January 26, 2012 and November 26, 2014 (h/t PHIprivacy.net).
In a statement, RCRMC said computer forensic experts have determined that the laptop contained approximately 7,900 patients’ personal information, including names, addresses, birthdates, and in some cases, Social Security numbers, medical diagnoses, and health plan policy numbers.
“We are taking significant measures to safeguard patient privacy and to restrict unauthorized access to computers and devices that potentially contain patient data,” RCRMC chief compliance officer Jan Remm said in a statement. Those measures, Remm said, include strengthened inventory controls as well as encryption of all RCRMC computers and laptops.
A recent eSecurity Planet article offered advice on how to deal with a data breach, from documentation and communication to incident response and notification.
