42,000 West Penn Allegheny Health System Patients
Technorati Tag: Security Breach
Date Reported:
12/17/07
Organization:
West Penn Allegheny Health System
Contractor/Consultant/Branch:
None
Victims:
Home care and hospice patients
Number Affected:
42,000
Types of Data:
Names, Social Security numbers, phone numbers, addresses and patient care information
Breach Description:
On November 24th, 2007 a laptop containing sensitive personal information was stolen from the home of a nurse employed by the West Penn Allegheny Health System. Letters were sent to the 42,000 affected individuals on December 15th.
Reference URL:
WPXI News Story
WTAE-TV News Story
Report Credit:
Karen Welles, WPXI Target 11 Investigative Reporter
Response:
From the online sources cited above:
The names, social security numbers, phone numbers, addresses and patient care information of 42,000 patients were all on a laptop computer stolen from a nurse’s home.
A spokesman for West Penn Allegheny Health System said they are not aware of any inappropriate use of patient information.
[Evan] If the information were to be used inappropriately, it is highly unlikely that evidence would have turned up yet.
The computer and other possessions were stolen from a home care nurse's home.
The hospital said the data on the laptop is protected once the computer is shut off or when the battery runs out in about four hours.
[Evan] Protected how? By the Windows logon password? This is hardly the type of protection that this information warrants. The Windows logon password is easily bypassed in a matter of minutes. If the computer and data were protected with encryption, I would be more satisfied.
Only home care and hospice patients could be impacted, not patients at the hospitals.
Patients are advised to put a fraud alert on their credit files and the hospital is offering a one-year free membership to a credit monitoring agency.
[Evan] I have said this many times. A one-year membership to a credit monitoring agency has NO affect after a year. Criminals are not stupid. Why not wait a year, then use the information?
The computer was stolen Nov. 24, but patients weren't notified until letters went out on Dec. 15.
The data base on the laptop goes back to the year 2000.
[Evan] What the *&^! is seven years of personal data doing on a laptop in the first place! No encryption just adds insult to injury.
Police have been notified and hospital officials are looking to add another safeguard to the laptops.
If patients have any questions or concerns call 1- Monday through Friday from 10 a.m. to 6 p.m. or e-mail the hospital at .
Commentary:
Should we be surprised about another unencrypted laptop containing sensitive personal information? Although we have seen this over and over, my answer is yes we should be surprised to see these breaches. Are the people in charge for securing this personal information 1. Asleep, 2. Living in a cave, 3. Poorly trained, 4. Not good at getting leadership buy-in, or 5. All of the above?
As a first step, the West Penn Allegheny Health System should obtain the guidance of a reputable information security consultant to assess their entire information security program.
Past Breaches:
Unknown
Date Reported:12/17/07
Organization:
West Penn Allegheny Health System
Contractor/Consultant/Branch:
None
Victims:
Home care and hospice patients
Number Affected:
42,000
Types of Data:
Names, Social Security numbers, phone numbers, addresses and patient care information
Breach Description:
On November 24th, 2007 a laptop containing sensitive personal information was stolen from the home of a nurse employed by the West Penn Allegheny Health System. Letters were sent to the 42,000 affected individuals on December 15th.
Reference URL:
WPXI News Story
WTAE-TV News Story
Report Credit:
Karen Welles, WPXI Target 11 Investigative Reporter
Response:
From the online sources cited above:
The names, social security numbers, phone numbers, addresses and patient care information of 42,000 patients were all on a laptop computer stolen from a nurse’s home.
A spokesman for West Penn Allegheny Health System said they are not aware of any inappropriate use of patient information.
[Evan] If the information were to be used inappropriately, it is highly unlikely that evidence would have turned up yet.
The computer and other possessions were stolen from a home care nurse's home.
The hospital said the data on the laptop is protected once the computer is shut off or when the battery runs out in about four hours.
[Evan] Protected how? By the Windows logon password? This is hardly the type of protection that this information warrants. The Windows logon password is easily bypassed in a matter of minutes. If the computer and data were protected with encryption, I would be more satisfied.
Only home care and hospice patients could be impacted, not patients at the hospitals.
Patients are advised to put a fraud alert on their credit files and the hospital is offering a one-year free membership to a credit monitoring agency.
[Evan] I have said this many times. A one-year membership to a credit monitoring agency has NO affect after a year. Criminals are not stupid. Why not wait a year, then use the information?
The computer was stolen Nov. 24, but patients weren't notified until letters went out on Dec. 15.
The data base on the laptop goes back to the year 2000.
[Evan] What the *&^! is seven years of personal data doing on a laptop in the first place! No encryption just adds insult to injury.
Police have been notified and hospital officials are looking to add another safeguard to the laptops.
If patients have any questions or concerns call 1- Monday through Friday from 10 a.m. to 6 p.m. or e-mail the hospital at .
Commentary:
Should we be surprised about another unencrypted laptop containing sensitive personal information? Although we have seen this over and over, my answer is yes we should be surprised to see these breaches. Are the people in charge for securing this personal information 1. Asleep, 2. Living in a cave, 3. Poorly trained, 4. Not good at getting leadership buy-in, or 5. All of the above?
As a first step, the West Penn Allegheny Health System should obtain the guidance of a reputable information security consultant to assess their entire information security program.
Past Breaches:
Unknown
Posted by Evan Francen at 12/28/2007 4:18 PM 
Categories: Stolen Laptop, West Penn Allegheny Health System
Categories: Stolen Laptop, West Penn Allegheny Health System
Posts Atom 1.0
Comments