Expectant and new mothers at risk after University of Kentucky laptop theft

|

Date Reported:
8/19/10

Organization:
University of Kentucky

Contractor/Consultant/Branch:
UK HealthCare

Location:
Lexington, Kentucky

Victims:
"mothers in the Newborn Screening Program"

Number Affected:
2,027

Types of Data:
"patient names, medical record numbers as well as the date of birth, diagnosis, mother’s name, and in some instances, the social security numbers"

Breach Description:
"The University of Kentucky is notifying 2,027 people of a breach of protected health information.  Between June 18 and June 21, 2010, a laptop computer containing information from the Newborn Screening Program was stolen from the Department of Pediatrics Newborn Screening Program."

Reference URL:
UK HealthCare
FOX41.com
HealthData Management
Lexington Herald-Leader

Report Credit:
University of Kentucky

Response:
From the online sources cited above:

The University of Kentucky is notifying 2,027 people of a breach of protected health information.

Between June 18 and June 21, 2010, a laptop computer containing information from the Newborn Screening Program was stolen from the Department of Pediatrics Newborn Screening Program.
[Evan] Does this mean that new mothers and newborns are affected by this breach?

The theft was reported to the UK Police Department which is handling the investigation.

We do not believe the laptop, which had been stored in a locked private office, was stolen for the information it contained or that any information has been released or used.
[Evan] I have a couple of issues with this statement.  What good is a "locked" private office if it doesn't prevent or deter a theft?  What other preventative physical measures were in place?  My other issue deals with the motive for the theft.  How does UK HealthCare come to believe that the laptop was stolen for the hardware and not the information it contained?  What would be more valuable to a thief?  I think that this is a dangerous assumption.

Access to the laptop was password-protected but the hard drive was not encrypted.
[Evan] How many times have I written this?  A Windows XP Pro password is bypassed in less than 60 seconds, so what kind of protection is password-protection?  Shame on UK HealthCare for not encrypting laptop hard drives.

Information on the laptop consists of patient names, medical record numbers as well as the date of birth, diagnosis, mother’s name, and in some instances, the social security numbers of some of the mothers in the Newborn Screening Program.

The University of Kentucky deeply regrets this incident and continues its commitment to safeguard the privacy of its patients.
[Evan] Why didn't this "commitment" take into account the very well known risks surrounding this breach?  If you can't adequately account for the risks associated with collecting information, don't collect it!  If you are in the health care field you really only have one option.

UK HealthCare has policies and procedures in place to protect patient information, and is currently undertaking additional steps to reinforce those measures.
[Evan] Policies and procedures are a good start, but they are worthless without supporting action.

No credit card, debit card or bank account numbers were in this information.
[Evan] I would rather lose credit card, debit card, and bank account numbers than I would the information contained on this laptop.

The parents or guardians of affected patients, who were notified by mail, are encouraged to take the following steps recommended by the Federal Trade Commission to prevent any possible misuse of personal information.

The University of Kentucky is following all of the requirements of the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act by notifying patients of the breach, publicly disclosing the breach to the local media, and posting information about the breach on our website.

For additional information, call toll-free at 1-.

We can be reached via email at:  . Local residents may call .

Commentary:
I think I have completely lost patience with organizations that permit sensitive data to be accessed from or stored on unprotected laptops and/or other mobile devices.

Past Breaches:
Unknown

 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
  • 8/31/2010 11:28 AM Dissent wrote:
    "I think I have completely lost patience with organizations that permit sensitive data to be accessed from or stored on unprotected laptops and/or other mobile devices. "

    Think of how much sooner you could have lost patience if you hadn't taken that totally unnecessary and inappropriate hiatus from blogging. ;^)

    That said, you may wish to skip reading the release from the University of Florida today.
    Reply to this

Page: 1 of 1
    Leave a comment