A stolen backup computer affects 1,441 clinic patients
Technorati Tag: Security Breach
Date Reported:
10/2/07
Organization:
Athens Regional Health Services*
parent company of Athens Regional Medical Center and Regional First Care clinic
Contractor/Consultant/Branch:
Regional First Care clinic
Victims:
Regional First Care clinic patients
Number Affected:
1,441
Types of Data:
(85 people) Social Security numbers, (545) "some health information", and (811) name, address and/or phone number.
Breach Description:
A computer used by the clinic to store backup data was stolen sometime before September 24th, 2007. The computer contained sensitive clinical patient data.
Reference URL:
Athens Banner-Herald
Report Credit:
Lee Shearer, Staff Writer for Online Athens
Response:
From the online article cited above:
"A computer missing from a Regional First Care clinic in Watkinsville held the personal information of more than 1,400 people, according to Athens Regional Health Services, the parent corporation of Athens Regional Medical Center and the clinic."
"Workers at the 1010 Village Drive clinic first noticed on Sept. 24 that the Dell Optiplex GX-620 computer was missing."
[Comfyllama] It is unclear how long the computer has actually been missing.
"The computer held Social Security numbers for 85 people, some health information for 545 people and the name, address and/or telephone numbers of 811 people, ARHS chief information officer Timothy Penning said in a news release Tuesday."
[Comfyllama] We don't often get this much detail. The 811 people that only had name, address and/or telephone number exposed are obviously at less risk than the other victims, as this information is largely public anyway.
"No credit card or other financial information was stored on the computer, which was a backup server for the Watkinsville clinic."
"The computer did not have access to patient records from affiliated ARHS organizations such as Athens Regional Medical Center, or from other Regional First Care clinics, said ARMC spokeswoman Elaine Cook."
"Through late Tuesday afternoon, no one had reported any evidence that confidential information had been read, shared or used in any way, she said."
"Concerned patients can call a special number set up by ARHS, "
Commentary:
I think this sort of breach happens much more often that we know. In many of the consulting engagements I have had with medical organizations in the past, I have seen some very alarming things. I am guessing that the Dell backup workstation was not physically secure in a locked room with restricted access to keys and it is upsetting that the backup data was not encrypted.
The Athens Regional Medical Center (armc.org) home page now states "Update on Server Theft at Regional First Care in Watkinsville" , then goes on with "As you may have read in the 10/2/2007 edition of the Athens Banner-Herald"
Past Breaches:
Unknown
Date Reported:10/2/07
Organization:
Athens Regional Health Services*
parent company of Athens Regional Medical Center and Regional First Care clinic
Contractor/Consultant/Branch:
Regional First Care clinic
Victims:
Regional First Care clinic patients
Number Affected:
1,441
Types of Data:
(85 people) Social Security numbers, (545) "some health information", and (811) name, address and/or phone number.
Breach Description:
A computer used by the clinic to store backup data was stolen sometime before September 24th, 2007. The computer contained sensitive clinical patient data.
Reference URL:
Athens Banner-Herald
Report Credit:
Lee Shearer, Staff Writer for Online Athens
Response:
From the online article cited above:
"A computer missing from a Regional First Care clinic in Watkinsville held the personal information of more than 1,400 people, according to Athens Regional Health Services, the parent corporation of Athens Regional Medical Center and the clinic."
"Workers at the 1010 Village Drive clinic first noticed on Sept. 24 that the Dell Optiplex GX-620 computer was missing."
[Comfyllama] It is unclear how long the computer has actually been missing.
"The computer held Social Security numbers for 85 people, some health information for 545 people and the name, address and/or telephone numbers of 811 people, ARHS chief information officer Timothy Penning said in a news release Tuesday."
[Comfyllama] We don't often get this much detail. The 811 people that only had name, address and/or telephone number exposed are obviously at less risk than the other victims, as this information is largely public anyway.
"No credit card or other financial information was stored on the computer, which was a backup server for the Watkinsville clinic."
"The computer did not have access to patient records from affiliated ARHS organizations such as Athens Regional Medical Center, or from other Regional First Care clinics, said ARMC spokeswoman Elaine Cook."
"Through late Tuesday afternoon, no one had reported any evidence that confidential information had been read, shared or used in any way, she said."
"Concerned patients can call a special number set up by ARHS, "
Commentary:
I think this sort of breach happens much more often that we know. In many of the consulting engagements I have had with medical organizations in the past, I have seen some very alarming things. I am guessing that the Dell backup workstation was not physically secure in a locked room with restricted access to keys and it is upsetting that the backup data was not encrypted.
The Athens Regional Medical Center (armc.org) home page now states "Update on Server Theft at Regional First Care in Watkinsville" , then goes on with "As you may have read in the 10/2/2007 edition of the Athens Banner-Herald"
Past Breaches:
Unknown
Posted by Evan Francen at 10/3/2007 10:14 AM 
Categories: Stolen Computer, Athens Regional Health Services
Categories: Stolen Computer, Athens Regional Health Services
Posts Atom 1.0
Comments