The information of some patients at Brigham and Women's Hospital in Boston has been compromised after a laptop and cellphone were stolen from a hospital physician.
The armed robbery took place off the hospital's campus; during the incident, the physician was forced by the assailant to give up passcodes and encryption keys to the devices, according to a recent announcement from BWH.
Encryption is one of the most important steps a healthcare organization can take to keep information secure, according to many HIT professionals; but as this incident shows, it is not the only step that should be taken to keep patient data safe.
The information on the stolen devices focused on patients in the hospital's Neurology and Neurosurgery Programs, but did not include Social Security numbers, insurance numbers or other financial account information. It did, however, include patient names or partial names, and possibly medical record numbers, ages, medications and information on diagnosis and treatment, according to BWH.
There's a thriving black market for medical identity information, with criminals using the information in a variety of ways, FierceHealthIT recently reported. Rather than simply using a credit card or Social Security number from a medical file to commit basic financial fraud, criminals can parse the information out to different buyers.
The Boston Police Department is investigating the robbery and the devices have not yet been recovered.
"Upon learning of this theft, BWH initiated a thorough investigation, including the creation of a multidisciplinary workgroup to respond to this incident," the announcement said.
In addition, the hospital is reviewing its policies and procedures to see if there are steps that need to be taken to prevent similar incidents.
Lost or stolen devices is one of the biggest worries health IT leaders face. Good Samaritan Health System CIO Rick Follett said that a fear of lost devices keeps him awake at night in a recent interview with FierceMobileHealthcare. Even with security systems in place--such as passcodes and pin numbers--the worry that a lost device could be hacked remains, he said.
In fact, in California about 70 percent of security breaches were due to unencrypted data on lost or stolen devices, according to a report published last month from the state's attorney general.
To learn more:
- read the announcement (.pdf)