Lost Memorial Hospital laptop affects employees and retirees
Technorati Tag: Security Breach
Date Reported:
2/7/08
Organization:
Memorial Health System, Inc.
Contractor/Consultant/Branch:
Memorial Hospital
American Airlines
Victims:
Employees and retirees
Number Affected:
4,300
Types of Data:
Names, addresses, birth dates, ID numbers, and Social Security numbers
Breach Description:
An employee of Memorial Hospital lost a laptop containing sensitive personal information belonging to employees sometime while traveling in November, 2007. The employee claims that she gave the laptop to a flight attendant on an American Airlines flight so that it could be stowed properly.
Reference URL:
WSBT Channel 22 News
Report Credit:
Leanne Tokars, with a special thanks to the folks at Attrition.org
Response:
From the online source cited above:
Memorial Hospital has notified employees that a laptop containing personal information is missing.
An employee lost the laptop while traveling in November.
the missing computer contains their names, addresses, birth dates, ID numbers and social security numbers.
“The laptop she had was not encrypted. We were in the process of doing that for all our laptops, which we'll have done now probably in the next week or so,” said Dr. George Soper, vice president of Human Resources at Memorial Hospital. “This is an unfortunate situation and something you can never take lightly.”
[Evan] It stinks that this laptop was not encrypted. The good news is that the hospital is in process of encrypting all laptops. Encrypting all laptops should prevent similar exposure in the future. A quick question though, why did this HR person have this information on the laptop in the first place?
the employee had carried the laptop on an American Airlines flight, but the flight attendant took it away because there wasn't any room to store it where she was sitting.
[Evan] I travel semi-often, and I bring my (encrypted) laptop with me all the time. I always find space to store it during the flight. Weird.
Memorial waited to inform employees until investigations by both American Airlines and the hospital were finished.
[Evan] NOT a good practice. This information does not belong to Memorial or American Airlines, it belongs to the affected individuals. The employees had a right to know much sooner.
It affects about 4,300 full and part-time employees and retirees.
Memorial is offering to monitor their credit report for one year for free.
[Evan] Regular Breach Blog readers have heard this before, but monitoring is an "after the fact" solution by definition. Meaning IF there are victims, they will be alerted when they are already victims of identity theft. A year or monitoring is not sufficient for information that does not expire.
“We've had maybe 50, 60 calls from that population so far and some are pretty upset about it, some curious, but yeah, there's concern about it,” said Soper.
Employees at Memorial tell WSBT they are upset but wouldn't go on camera for fear of losing their jobs.
[Evan] This is sad.
The laptop did not contain any patient information.
Employees have to sign up if they want to take part in the free credit monitoring.
Interesting comments:
From "Mad employee": I find this situation disgusting. As a medical professional that works there, I feel the hospital staff as a whole are very caring individuals who do thier best to provide excellent patient care. Hovever, human resources is a joke.
From "Anonymous": I don;t think it is right that Memorial would allow a employee to take such information out of the office (this infor. should never leave the HR office) does this comply with hippa laws?
From "Beyond Angry": Memorial says everything is ok because (and they put no in caps Social Security numbers, etc. are out there forever. I want to know why Memorial waited to tell us about this. What about our checking deposit information? Was it there also? They aren't saying.
From "Employee": It wasn't a she it was a he, and no HE didn't loose his job...very very sad state of affairs
Commentary:
The commenters on the original story make some good common sense points about this breach. Why is sensitive personal information allowed outside of a controlled environment? I applaud the hospital for the decision to encrypt laptops, but they should be slapped for taking so long to inform victims.
All breaches have victims. Sad, but true.
Past Breaches:
Unknown
Date Reported:2/7/08
Organization:
Memorial Health System, Inc.
Contractor/Consultant/Branch:
Memorial Hospital
American Airlines
Victims:
Employees and retirees
Number Affected:
4,300
Types of Data:
Names, addresses, birth dates, ID numbers, and Social Security numbers
Breach Description:
An employee of Memorial Hospital lost a laptop containing sensitive personal information belonging to employees sometime while traveling in November, 2007. The employee claims that she gave the laptop to a flight attendant on an American Airlines flight so that it could be stowed properly.
Reference URL:
WSBT Channel 22 News
Report Credit:
Leanne Tokars, with a special thanks to the folks at Attrition.org
Response:
From the online source cited above:
Memorial Hospital has notified employees that a laptop containing personal information is missing.
An employee lost the laptop while traveling in November.
the missing computer contains their names, addresses, birth dates, ID numbers and social security numbers.
“The laptop she had was not encrypted. We were in the process of doing that for all our laptops, which we'll have done now probably in the next week or so,” said Dr. George Soper, vice president of Human Resources at Memorial Hospital. “This is an unfortunate situation and something you can never take lightly.”
[Evan] It stinks that this laptop was not encrypted. The good news is that the hospital is in process of encrypting all laptops. Encrypting all laptops should prevent similar exposure in the future. A quick question though, why did this HR person have this information on the laptop in the first place?
the employee had carried the laptop on an American Airlines flight, but the flight attendant took it away because there wasn't any room to store it where she was sitting.
[Evan] I travel semi-often, and I bring my (encrypted) laptop with me all the time. I always find space to store it during the flight. Weird.
Memorial waited to inform employees until investigations by both American Airlines and the hospital were finished.
[Evan] NOT a good practice. This information does not belong to Memorial or American Airlines, it belongs to the affected individuals. The employees had a right to know much sooner.
It affects about 4,300 full and part-time employees and retirees.
Memorial is offering to monitor their credit report for one year for free.
[Evan] Regular Breach Blog readers have heard this before, but monitoring is an "after the fact" solution by definition. Meaning IF there are victims, they will be alerted when they are already victims of identity theft. A year or monitoring is not sufficient for information that does not expire.
“We've had maybe 50, 60 calls from that population so far and some are pretty upset about it, some curious, but yeah, there's concern about it,” said Soper.
Employees at Memorial tell WSBT they are upset but wouldn't go on camera for fear of losing their jobs.
[Evan] This is sad.
The laptop did not contain any patient information.
Employees have to sign up if they want to take part in the free credit monitoring.
Interesting comments:
From "Mad employee": I find this situation disgusting. As a medical professional that works there, I feel the hospital staff as a whole are very caring individuals who do thier best to provide excellent patient care. Hovever, human resources is a joke.
From "Anonymous": I don;t think it is right that Memorial would allow a employee to take such information out of the office (this infor. should never leave the HR office) does this comply with hippa laws?
From "Beyond Angry": Memorial says everything is ok because (and they put no in caps Social Security numbers, etc. are out there forever. I want to know why Memorial waited to tell us about this. What about our checking deposit information? Was it there also? They aren't saying.
From "Employee": It wasn't a she it was a he, and no HE didn't loose his job...very very sad state of affairs
Commentary:
The commenters on the original story make some good common sense points about this breach. Why is sensitive personal information allowed outside of a controlled environment? I applaud the hospital for the decision to encrypt laptops, but they should be slapped for taking so long to inform victims.
All breaches have victims. Sad, but true.
Past Breaches:
Unknown
Posted by Evan Francen at 2/8/2008 2:06 PM 
Categories: Memorial Hospital, Lost Laptop, American Airlines
Categories: Memorial Hospital, Lost Laptop, American Airlines
Posts Atom 1.0
Comments