The personal information for roughly 57,000 patients at Lucile Packard Children's Hospital at Stanford was put at risk after a laptop was stolen from a physician's off-campus car on Jan. 9. According to an announcement from the hospital, most of the medical information on the laptop was mostly from 2009 and related to research and follow-up care.
While no financial information, Social Security numbers or other marketable information was compromised, according to the hospital, the laptop did include names, dates of birth and medical record numbers for patients. The hospital and the School of Medicine are working with law enforcement to recover the laptop, officials said, and those affected have been offered free identity protection services.
"As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data, including redoubling our efforts to ensure that all computers and devices containing medical information are encrypted," the announcement said.
This isn't the only brush with trouble for Lucile Packard regarding a stolen laptop. In January 2010, an employee stole a password-protected desktop computer containing information on more than 500 patients. The hospital initially was fined $250,000 by the California Department of Public Health for allegedly reporting the incident 11 days beyond a required window, although that fine eventually was reduced to $1,100.
Meanwhile in Honesdale, Pa., Wayne Memorial Hospital suffered a data breach when a hospital administrator tried to send an unencrypted compact disc containing information on more than 1,100 Medicare patients via certified mail to the Pittsburgh office of Novitas Solutions, Inc., a Camp Hill, Pa.-based Medicare administrative contractor, the Times-Tribune reported. The disc, which contained names, account information and Medicare account numbers for 1,182 patients at the hospital, was sent from Wayne Memorial on Nov. 28; an empty cardboard box arrived at Novitas Solutions on Dec. 3.
Hospital spokeswoman Lisa Champeau told the Times-Tribune that the hospital launched an investigation immediately, but that both the patients and the U.S. Department of Health & Human Services weren't notified until last Friday. The hospital, though, had up to 60 days to notify both parties after an initial investigation of 10 days, meaning they still met the required deadline.
"It was brand new to all of us. We didn't know the right course to take," Champeau said of waiting to notify the patients and HHS. "We didn't want to alarm anybody."
To learn more:
- read the report from Lucile Packard Children's Hospital at Stanford
- read the article from the Times-Tribune
Hospital appeals $250K date breach penalty
Thefts at Stanford, Oregon hospitals jeopardize patient info for nearly 17k
Lost USB drive compromises info for Medicaid recipients
Health department breach impacts 24K Medicaid patients