Thomas Jefferson University Hospital in Philadelphia this week became the latest hospital forced to notify thousands of patients that some of their most sensitive financial and medical information was compromised following a laptop theft.
Hospital officials said the names, birth dates, social security numbers, insurance information and other internal and administrative coding data, for approximately 21,000 patients was exposed after a laptop was stolen from an office in the hospital. The theft covers those who received inpatient care at the hospital between March and November of 2008.
On June 14, an employee reported a personal laptop he was using to store the data was stolen. While the laptop was password protected, the data itself was not encrypted. The hospital then hired Kroll, a risk consulting company, to conduct an internal investigation as it began the process of notifying those patients potentially affected by the breach.
“On behalf of everyone at Jefferson Hospitals, please accept our apologies and know that we are committed to providing assistance to the affected patients,” Jefferson Hospitals president and CEO Thomas Lewis said in a statement. “Jefferson Hospitals has extensive internal policies reflecting our commitment to the appropriate use of personal health information and employees receive training on these policies annually.”
“The storage of patient data on an employee’s unencrypted computer — even while on TJUH premises – is a breach of hospitals’ policy,” he added.
This incident is just the latest in a string of data breaches and device thefts that have plagued hospitals and health-care providers this year.
Earlier this week, the Identity Theft Resource Center issued a report that found hospitals and physicians’ offices were responsible for a disproportionate number of major data breaches reported in the first half of this year.
In April, a pair of incidents strikingly similar to the Thomas Jefferson University Hospital breach impacted patients in Massachusetts and California. In both cases, a laptop containing unencrypted patient information was stolen from either an employee’s car or office.
A survey, by independent research firm the Ponemon Institute, found that more than 600,000 laptops and 800,000 storage devices were lost or stolen in 2009.
Hospital officials said it will provide free credit-monitoring services for all affected patients for at least one year and is in the process of reviewing and improving all of its internal data security procedures and policies.