Beth Israel Deaconess Medical Center (BIDMC) in Boston is notifying 3,900 patients that a stolen laptop may have risked their personal information, the hospital said Friday.
A thief stole a personal laptop computer from the physician's office at BIDMC on May 22.
BIDMC hired a national forensic firm to investigate if the information has been misused, The Boston Globe reported. Although BIDMC said the compromised information did not contain patient financial information such as Social Security numbers, medication lists and "complete medical records," according to a statement, it did include medical information summaries.
Authorities arrested a suspect, but the laptop hasn't been recovered. In addition, it doesn't appear that the information was misused, the hospital said.
The incident raises security questions and accountability issues. The personal computer had a tracking device, but it was never activated. Although BIDMC protects company-issued devices, the stolen computer was a personal device, The Boston Globe noted.
"It's a teachable moment," BIDMC Chief Information Officer John Halamka said about changing hospital policy. Employees' devices are now subject to mandatory encryption, including antivirus protection and up-to-date software patches. "So any device that is used in any way with our data, whether it is patient-related or administrative, it must be encrypted," Halamka told The Boston Globe. The process could take up to three months for the 1,500 personal electronic devices that might be used for work by the hospital's 6,000 employees.
"We take the incident extremely seriously and have now accelerated implementation of a program to assist employees with protecting devices they purchase personally," Halamka said in the statement. BIDMC also increased physical security and mounted a campaign about data security issues.
BIDMC is no stranger to data breaches. Last year, the hospital notified more than 2,000 patients about potential risks to their information, also stemming from a computer. The computer, which was infected with a virus, included patient names, birth dates and names of procedures. It turns out a vendor failed to restore security controls on a computer following routine maintenance, The Boston Globe reported.
For more information:
- see the BIDMC statement
- read the Boston Globe article
Laptop theft risks info of 30,000 hospital patients
What's to blame for health data breaches: Tech or culture?
Improve data breach response to retain patients
Stolen laptop risks data of 2,100 Boston Children's patients
91% of small healthcare organizations suffered a data breach in the last year
BYOD continues to challenge hospitals' security boundaries