Thomas Jefferson Hospitals notifies 21,000 patients of stolen laptop
|
Date Reported:
7/23/10
Organization:
Jefferson Health System
Contractor/Consultant/Branch:
Thomas Jefferson University Hospitals
Location:
Victims:
Patients who "received inpatient care at Thomas Jefferson University Hospitals in 2008 between March 9 and June 9 and between August 1 and November 1"
Number Affected:
"approximately 21,000"
Types of Data:
"name, birth date, gender, ethnicity, diagnosis, social security number, insurance information, hospital account number and other internal and administrative coding"
Breach Description:
"Thomas Jefferson University Hospitals has notified approximately 21,000 patients that there was a theft of a laptop computer containing personal information."
Reference URL:
Office of Inadequate Security
Thomas Jefferson University Hospitals Data Security Breach notice
Report Credit:
Office of Inadequate Security and Thomas Jefferson University Hospitals
Response:
From the online sources cited above:
Thomas Jefferson University Hospitals has notified approximately 21,000 patients that there was a theft of a laptop computer containing personal information.
[Evan] We don't see quite as many breaches resulting from lost/stolen laptops as we used to.
Affected patients have been sent a letter detailing the extensive identity protection resources being made available to them.
On June 14, 2010, an employee reported to Thomas Jefferson University Hospitals' security personnel that his password-protected, personal laptop computer was stolen from an office in the hospital.
[Evan] We have preached this many times before; password-protection is no where near adequate protection. It takes less than 60 seconds to bypass a Windows XP login (password protection). So we preach encryption, but even encryption is inadequate without following sound information security principles (key/password management).
In violation of hospital policy, the computer contained protected health information.
[Evan] Good policy is great! Everything in information security should start with policy, but policy is only the start. Policy without enforcement is useless.
Individuals whose records were affected received inpatient care at Thomas Jefferson University Hospitals in 2008 between March 9 and June 9 and between August 1 and November 1.
The data included name, birth date, gender, ethnicity, diagnosis, social security number, insurance information, hospital account number and other internal and administrative coding.
[Evan] Ugh, another ID theft bonanza.
Though the computer was password-protected, it was not hospital-issued and the information was not encrypted.
[Evan] Really? The laptop was not "hospital-issued"?! This is a big bad no no. An employee permitted (administratively, technically and/or physically) to use a personal (or non-issued) computing device to create, receive, store, process, and/or transmit sensitive information is bad security practice.
To date, there has been no indication of inappropriate use of the information stored on the stolen computer.
"On behalf of everyone at Jefferson Hospitals, please accept our apologies and know that we are committed to providing assistance to the affected patients," said Hospitals President and Chief Executive Officer Thomas J. Lewis.
[Evan] I am always appreciative of remarks made by a corporate leader with respect to information security. In my opinion, it demonstrates commitment and responsibility.
"Jefferson Hospitals has extensive internal policies reflecting our commitment to the appropriate use of personal health information and employees receive training on these policies annually. The storage of patient data on an employee’s unencrypted computer – even while on TJUH premises – is a breach of hospitals’ policy.”
Subsequent to notifying police, Thomas Jefferson University Hospitals engaged Kroll Inc. to assist with the internal investigation and to provide patients with personal assistance.
Additionally, Thomas Jefferson University Hospitals has taken appropriate action with the employees involved, is reviewing internal protocols, and will be reinforcing these protocols through employee education at all Jefferson Hospitals.
Each patient affected by this incident is currently being notified via first class U.S. mail.
Anyone concerned about whether or not his or her information was affected can call 1- for more information (9 a.m. to 6 p.m. Eastern Time, Monday – Friday).
Commentary:
I am used to reading about and commenting on breaches concerning lost or stolen laptops containing sensitive personal information, but this is one of the few that I recall concerning a personally-owned or non-company issued laptop. The fact that this constitutes poor information security practice seems like common sense to me, but I guess this only supports FRSecure's Information Security Principle #6 - There is no common sense in information security. Read (pdf): FRSecure's Information Security Principles
Past Breaches:
Unknown
Posted by Evan Francen at 7/29/2010 1:27 PM 
Categories: Thomas Jefferson University Hospitals, Jefferson Hospital System, Stolen Laptop
Categories: Thomas Jefferson University Hospitals, Jefferson Hospital System, Stolen Laptop
Posts Atom 1.0
Comments