Fifth Stanford Breach Leads Roundup

Laptop Theft at Lucile Packard Children's Hospital
Fifth Stanford Breach Leads Roundup

In this week's breach roundup, Stanford University's Lucile Packard Children's Hospital is reporting its third major breach involving a laptop. The incident is also the fifth significant breach affecting Stanford healthcare units since 2010.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The hospital is notifying about 13,000 patients that an unencrypted laptop was stolen from a secured area of the hospital.

The information on the laptop is related to operating room schedules, according to a statement issued by the hospital. That includes patient names, ages, medical record numbers, telephone numbers, scheduled surgical procedures and names of physicians involved in the procedures over a three-year period beginning in 2009.

The hospital says it has no evidence that any patient data has been accessed by an unauthorized person.

In January, the hospital had another unencrypted laptop stolen, affecting 57,000 patients (see: Stanford Breach Leads Roundup). And back in January 2010, the hospital lost a laptop that contained information on 532 individuals, according to the Department of Health and Human Services' Office for Civil Rights' tally of breaches.

Other Stanford healthcare breaches have included:

  • A September 2011 breach in which Stanford Hospital & Clinics reported that a business associate's subcontractor posted information on a website about 20,000 patients treated in a hospital emergency department. That incident prompted a class action lawsuit.
  • An August 2012 breach, affecting 2,500 patients, that involved the theft of an unencrypted computer from a physician's locked office.

Breached Records Used for Healthcare Offers

Gulf Breeze Family Eyecare in Florida is notifying patients that their breached records apparently are being used by an unauthorized individual or company to contact them to offer other medical services.

The clinic discovered its medical records were accessed inappropriately and "all or part of its patients' medical records were copied," according to a statement posted on its website. The records include names, addresses, Social Security numbers and healthcare information, the statement said.

A news outlet, the Pensacola News Journal, is reporting that 9,000 patients were affected.

The organization is pursuing legal options to recover the misappropriated records and prevent the individuals who accessed the records from further using them for any purpose, the statement said.

Burglary Prompts Patient Notification

The North Lincoln County Community Health Center Clinic in Oregon is notifying patients of a burglary that may have compromised patient records.

On the evening of April 17, burglars forced open locked doors, rooms and cabinets and took money, the clinic said in a statement. "But it appears no other records or materials were removed. No electronic devices were taken or accessed."

One of the locked rooms broken into, however, contained medical charts for the clinic's clients. Those charts contained protected health information and may also have contained Social Security numbers and personal financial information, the clinic said.

It's unclear how many patients were notified. The clinic did not respond to a request for comment.

Fax Errors Lead to £55,000 Penalty

The UK Information Commissioner's Office has fined the North Staffordshire Combined Healthcare NHS Trust in England £55,000 after it mistakenly sent three separate faxes containing sensitive medical details to one unauthorized individual.

The incidents occurred between August and September 2011, when the faxes, which were intended to go to the trust's Wellbeing Centre, were instead sent to the unauthorized individual, according to a statement from the ICO.

The error was caused by the fax number being incorrectly dialed each time, the ICO said.

The Wellbeing Centre is responsible for providing psychological therapies for the trust, according to the statement. The compromised information included patients' names, addresses, medical histories and details of their physical and mental health.

The trust had established best practices which required staff to "phone ahead" to ensure faxes were being sent to the right address and had been successfully received. After investigating, the ICO found that the guidance had not been communicated to the staff involved and that they had received no specific training on the secure use of fax machines.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.