Stolen Laptop Affects 30,000 PatientsSSNs Included in Compromised Data
The University of Texas MD Anderson Cancer Center is notifying 30,000 patients of a data breach after an unencrypted laptop was stolen from a faculty member's home.
According to a notice posted on MD Anderson's website, the laptop was stolen on April 30. The Houston-based organization was notified about the incident on May 1. The cancer center then contacted outside forensics experts and began an investigation to find out what data was contained on the laptop.
Information that may have been on the laptop includes patient names, medical record numbers, treatments, research information, and in some instances Social Security numbers, the notice explained.
As a result of the breach, MD Anderson is taking steps to encrypt all computers. "This technology scrambles each computer's data to make it more difficult for unauthorized users to retrieve any information," the notice says.
"We also are reinforcing with all employees our privacy policies in the handling of patient information."
Notices were mailed to affected patients on June 28.
The organization is providing complimentary credit monitoring services to affected patients, although a spokeswoman for the organization couldn't specify for how long.
Lack of Encryption: A Common Issue
The lack of encryption around laptops and other mobile devices is a well-known issue, says security consultant Rebecca Herold of Rebecca Herold & Associates. "The hospitals and clinics I'm working with are constantly battling this," she says. "The CISOs and CPOs I know understand the risks and are trying to get encryption rolled out to all mobile devices."
But the problem, Herold says, comes with physicians and their staffs who think it takes too long to install encryption software to equipment which, as a result, may disrupt patient care. Also, hospital staffers continue to use their personal mobile devices in addition to the ones provided by the hospital. This in turn leads to accumulated PHI on these devices and often IT personnel aren't aware of it, Herold explains.
"Often, hospital executives who have closer communications with their physicians than they do with their IT folks don't understand the real risks involved with clear text PHI in mobile devices," Herold says. "Physicians, nurses and their staff often overestimate their information security understanding, and then do things without realizing they're laying the groundwork for a breach."
HHS Tracking of Healthcare Breaches
The Department of Health and Human Services' Office for Civil Rights maintains a federal tally of individuals affected by major information breaches after it conducts an investigation and confirms the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.
More than half of all the major breaches reported since the rule went into effect have involved lost or stolen unencrypted electronic devices or media. By comparison, only about 7 percent have involving a hacker attack. About 22 percent of the breaches have involved a business associate.