Loma Linda University Medical Center confirms breach
|
Date Reported:
5/25/10
Organization:
Loma Linda University Medical Center
Contractor/Consultant/Branch:
None
Location:
Loma Linda, California
Victims:
"surgical patients"
Number Affected:
"more than 500"
Types of Data:
"name, medical record number, diagnosis, surgery date, and the type of procedure"
Breach Description:
"A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. "
Reference URL:
The Press-Enterprise
Associated Press via San Jose Mercury News
Report Credit:
Richard Brooks, The Press-Enterprise
Response:
From the online sources cited above:
A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials.
A desktop computer containing the information disappeared April 5 from the department of surgery's administrative office on Campus Street.
[Evan] Thieves don't normally steal desktop computers for their street value. Laptop theft is much more common. I wonder if there is video surveillance footage to corroborate the "thief" theory, or if the computer just "disappeared" for some other reason (support personnel withdrew or moved it). There should be some monitoring controls to review, I suppose.
San Bernardino County deputy sheriffs are investigating but the machine hasn't been recovered.
The missing information includes each patient's name, medical record number, diagnosis, surgery date, and the type of procedure.
[Evan] Personally, I am more concerned about health information compromise than I am about financial or other personally identifiable information. There are just a lot of bad things that can be done with health information.
"Patients whose information may have been included in the theft have been notified regarding the breach," hospital spokeswoman Jemellee Ambrose said in a written statement.
"Individuals ...who may have concerns regarding this potential breach of privacy are asked to call the Office of Corporate Compliance at ."
Commentary:
It seems like common sense nowadays to encrypt mobile devices with storage capacity (laptops, smart phones, PDAs, flash drives, backup tapes, etc.), but a vast majority of organizations do not encrypt desktop computers. Breaches like this one can certainly be used to make a case for encryption at end points that are not meant to be mobile (desktops), especially if these devices are used to collect, create, process, store, and/or access sensitive information. Of course, encryption is only as good as the processes that support it (encryption and key management policies and procedures).
A secondary thought, what do you think was the motivation behind the theft?
Past Breaches:
Unknown
Posted by Evan Francen at 5/27/2010 12:52 PM 
Categories: Stolen Computer, Loma Linda University Medical Center
Categories: Stolen Computer, Loma Linda University Medical Center
Posts Atom 1.0
Well, I should say that being a criminal defense attorney, I know of numerous cases where people lend and/or steal insurance information regarding someone who resembles them in age/race, etc. and use the insurance to get "free" operations, etc. Sale of this information can be quite lucrative. An inside job is never discounted in my mind in any theft like this. The employees know about these insurance scams and how much money there is to be made off sale of insurance information.
Reply to this
Mr. Curbo, it is very nice hear from you again. I hope you have been well!
Good points. Thanks!
Reply to this