A West Virginia health system is warning 43,000 patients their personal information may have been compromised after a laptop was stolen from an employee’s car.
In a letter (PDF) to patients, Coplin Health System’s CEO Derek Snyder said the laptop was password protected, but the hard drive was not encrypted, leaving the “remote possibility” that documents containing Social Security numbers, financial information and health data may have been accessed.
Following the Nov. 2 incident, the hospital’s IT department took several steps to disable the employee’s network accessibility. The hospital reported the incident to the Department of Health and Human Services’ Office for Civil Rights at the end of December.
“Based on information we have collected and which we have obtained from law enforcement authorities, we do not believe that the thief stole the laptop with the intention of accessing your personal information or that the thief would have the sophisticated knowledge and resources necessary to bypass the laptop’s security mechanisms,” the letter stated. “We also believe that the laptop probably did not contain any documents containing any patient’s personal information.”
Laptop theft has been a persistent cause of data breaches over the years, leading to multimillion-dollar fines from OCR. Ten incidents involving theft of a laptop, desktop or mobile device have been reported to HHS over the past three months. In December, a University of North Carolina clinic reported the theft of an unencrypted laptop during an October break-in, compromising information for more than 27,000 patients.