Stanford Breach Leads RoundupFourth Incident at University's Medical Facilities
In this week's breach roundup, a Stanford University-affiliated hospital is notifying about 57,000 patients whose information was stored on a stolen unencrypted laptop. Also, the Utah Department of Health reports that information on about 6,000 Medicaid clients was misplaced by a third-party contractor.
Stolen Laptop Affects 57,000 Patients
Lucile Packard Children's Hospital at Stanford and Stanford University School of Medicine are notifying about 57,000 patients whose information was stored on an unencrypted laptop that was stolen from a physician's car on Jan. 9.
This is the fourth major health data breach incident Stanford has experienced in recent years.
The information on the laptop, mostly from 2009, related to past care and research, according to a news release issued by Packard Children's. The data included names, dates of birth, basic medical descriptors and medical record numbers.
Upon learning of the theft on Jan. 10, the hospital launched an investigation with security and law enforcement. Affected individuals are being offered free identity protection services.
As a result of the breach, Packard Children's and the School of Medicine are "redoubling" their efforts to ensure all computers and devices containing medical information are encrypted, according to the news release.
In August 2012, Stanford Hospital & Clinics and the School of Medicine in Palo Alto, Calif., notified 2,500 patients that an unencrypted computer containing information about them was stolen from a physician's locked office.
In September 2011, Stanford Hospitals & Clinics reported that a business associate caused a breach when information about 20,000 patients treated in the hospital's emergency department was posted on a website. A class action lawsuit tied to the incident is pending (see: Stanford Breach an Unusual Tale).
And on Jan. 11, 2010, Packard Children's Hospital experienced a computer breach when a computer containing information on 532 individuals was lost, according to the U.S. Department of Health & Human Services' Office for Civil Rights' listing of breaches affecting 500 or more individuals.
Utah Health Department Breached - Again
The Utah Department of Health is notifying approximately 6,000 Medicaid clients that their personal information was misplaced by a third-party contractor.
An employee for Goold Health Systems, which processes Medicaid pharmacy transactions for the health department, saved personal health information to an unencrypted portable USB drive, according to a statement from the department. The employee misplaced the device while traveling between Salt Lake City and Washington, D.C.
Information on the USB drive includes name, Medicaid identification number, age and recent prescription drug use history, according to the statement.
Goold Health Systems CEO Jim Clair says the employee is no longer with the company. "We take things like this very seriously and ... it's a violation of our company policy," he says.
An April 2012 breach at the state health department, tied to a hacking incident, exposed claims data for 780,000 Medicaid clients and Children's Health Insurance Plan recipients (see: Utah Health Breach Affects 780,000).
Restaurant Data Breach Hits 10 States
The Zaxby's restaurant chain has notified federal authorities of a computer system and point-of-sale breach that affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas.
The source of the attacks was not disclosed in the Jan. 11 breach statement issued by Zaxby's Franchising Inc., but the restaurant chain says compromised computer systems at certain locations were found to have malware and other suspicious files stored locally. Those compromised systems were discovered during an internal forensics investigation the restaurant chain initiated after several of its locations were identified as common points of purchase for payment cards linked to fraudulent activity by one of the major credit card brands, Zaxby's spokeswoman Debbie Andrews says.
Zaxby's notes in its Jan. 11 breach notice that no evidence has yet been found to suggest card data was exposed. Still, the presence of suspicious files poses a risk that both customer names and card numbers could have been inappropriately accessed, the company states.
Motor Vehicle Records Inappropriately Accessed
The Minnesota Bureau of Criminal Apprehension is investigating why a former employee of the Minnesota Department of Natural Resources inappropriately accessed drivers' license and motor vehicle records without authorization.
Approximately 5,000 individuals are being notified about the incident, according to a news release from the department. Information viewed included name, date of birth, driver's license number, address, driver's license status and driver's license photo, the release said.
The database accessed is maintained by the Minnesota Department of Public Safety Driver and Vehicle Services.
The department reports that so far, the investigation hasn't found evidence that the data was sold, disclosed to others or used for criminal purposes.
"The DNR will not tolerate unauthorized access of private data," DNR Commissioner Tom Landwehr said in the release. "The agency is implementing additional employee training and looking into ways to monitor access to the data to ensure it doesn't happen again."