Stolen General Internal Medicine laptop exposes nearly 12,000
Technorati Tag: Security Breach
Date Reported:
4/25/08
Organization:
General Internal Medicine of Lancaster (PA)
Contractor/Consultant/Branch:
None
Victims:
Patients*
*"who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007"
Number Affected:
"nearly 12,000"
Types of Data:
Names, addresses, telephone and Social Security numbers
Breach Description:
"EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County."
Reference URL:
WGAL Channel 8 News
Lancaster Intelligencer Journal
General Internal Medicine of Lancaster
Report Credit:
General Internal Medicine of Lancaster (PA)
Response:
From the online sources cited above:
EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County.
[Evan] Why do we store personal (and other confidential) information on poorly secured laptops? Why, why, why?
A medical practice in East Hempfield Township is contacting nearly 12,000 of its patients to notify them that a computer was stolen from the office April 17
"We're just sick about this," said practice manager Lois Summers. "We know that the computer didn't contain the information of all (12,000) patients, but we notified everyone we saw during that three-year period just to be safe."
[Evan] The organization is not providing (as far as I can tell) fraud alert or credit monitoring, but the costs are probably still significant. 12,000 mailings has a hard cost and is pretty easy to quantify. The price involved with lost confidence and visits is harder to nail down.
office workers on April 17 were taking paper records bearing basic patient information and scanning them into a laptop computer so the records could then be transferred to a disk.
[Evan] Even in a small scale project it is important to evaluate risks EARLY on in the process, before work starts.
After that process was completed, the office planned to burn the paper records.
no medical information about patients was compromised.
The computer contained the names, addresses, telephone numbers and Social Security number s of many of the patients who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007.
East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week.
An employee left the area where the scanning was being done for a brief period the morning of April 17. When that employee returned, Summers said, the laptop was gone.
[Evan] It only takes a second or two for a thief to nab a mobile device. People think that it won't happen to them until it does. Then it's like "@^ @%*#"! Understand that these things will happen. We don't know when. We don't know how. We don't know where. Many times the hardware costs are a write-off, but what is the cost of personal information for which you are not the owner? We can take steps to significantly reduce the risk of data exposure.
Police said they suspect whoever stole the laptop wanted the computer more than the information on it.
[Evan] Sure.
Investigators also said the personal information is not easy to access.
[Evan] "Not easy" is subjective. If the information was only protected by an operating system password, then the information is likely very easy to access.
"Obviously, this was not a secure system we had and it will never be done again in this office," Summers said. "We need a secure (computer) drive that cannot be removed from the office."
[Evan] Excellent quote, "Obviously, this was not a secure system". Lois Summers then goes on to address physical security of the drive itself. Physical security is very important, but it should be noted that logical security (biometrics, encryption, etc.) are equally as important.
General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened.
Anyone with questions is urged to call General Internal Medicine at 397-2738.
Commentary:
The General Internal Medicine of Lancaster web site prominently displayed a "Fraud Alert" graphic in the middle of the home page.
I appreciate organizations that do not hide the fact that personal information (entrusted to them) has been compromised. Losing the information causes enough stress for victims. General Internal Medicine does a good job of openly admitting the breach and providing information. Their "Fraud Alert" page even provides a link to a copy of the East Hempfield Township police report. I get a real sense that the organization feels terrible about the breach and has taken steps to mend the relationship with patients. I don't get this sense from many breaches.
Unfortunately the information security practices at General Internal Medicine that led to this breach are commonplace in many organizations of all sizes, in many industries.
Past Breaches:
Unknown
Date Reported:4/25/08
Organization:
General Internal Medicine of Lancaster (PA)
Contractor/Consultant/Branch:
None
Victims:
Patients*
*"who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007"
Number Affected:
"nearly 12,000"
Types of Data:
Names, addresses, telephone and Social Security numbers
Breach Description:
"EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County."
Reference URL:
WGAL Channel 8 News
Lancaster Intelligencer Journal
General Internal Medicine of Lancaster
Report Credit:
General Internal Medicine of Lancaster (PA)
Response:
From the online sources cited above:
EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County.
[Evan] Why do we store personal (and other confidential) information on poorly secured laptops? Why, why, why?
A medical practice in East Hempfield Township is contacting nearly 12,000 of its patients to notify them that a computer was stolen from the office April 17
"We're just sick about this," said practice manager Lois Summers. "We know that the computer didn't contain the information of all (12,000) patients, but we notified everyone we saw during that three-year period just to be safe."
[Evan] The organization is not providing (as far as I can tell) fraud alert or credit monitoring, but the costs are probably still significant. 12,000 mailings has a hard cost and is pretty easy to quantify. The price involved with lost confidence and visits is harder to nail down.
office workers on April 17 were taking paper records bearing basic patient information and scanning them into a laptop computer so the records could then be transferred to a disk.
[Evan] Even in a small scale project it is important to evaluate risks EARLY on in the process, before work starts.
After that process was completed, the office planned to burn the paper records.
no medical information about patients was compromised.
The computer contained the names, addresses, telephone numbers and Social Security number s of many of the patients who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007.
East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week.
An employee left the area where the scanning was being done for a brief period the morning of April 17. When that employee returned, Summers said, the laptop was gone.
[Evan] It only takes a second or two for a thief to nab a mobile device. People think that it won't happen to them until it does. Then it's like "@^ @%*#"! Understand that these things will happen. We don't know when. We don't know how. We don't know where. Many times the hardware costs are a write-off, but what is the cost of personal information for which you are not the owner? We can take steps to significantly reduce the risk of data exposure.
Police said they suspect whoever stole the laptop wanted the computer more than the information on it.
[Evan] Sure.
Investigators also said the personal information is not easy to access.
[Evan] "Not easy" is subjective. If the information was only protected by an operating system password, then the information is likely very easy to access.
"Obviously, this was not a secure system we had and it will never be done again in this office," Summers said. "We need a secure (computer) drive that cannot be removed from the office."
[Evan] Excellent quote, "Obviously, this was not a secure system". Lois Summers then goes on to address physical security of the drive itself. Physical security is very important, but it should be noted that logical security (biometrics, encryption, etc.) are equally as important.
General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened.
Anyone with questions is urged to call General Internal Medicine at 397-2738.
Commentary:
The General Internal Medicine of Lancaster web site prominently displayed a "Fraud Alert" graphic in the middle of the home page.
I appreciate organizations that do not hide the fact that personal information (entrusted to them) has been compromised. Losing the information causes enough stress for victims. General Internal Medicine does a good job of openly admitting the breach and providing information. Their "Fraud Alert" page even provides a link to a copy of the East Hempfield Township police report. I get a real sense that the organization feels terrible about the breach and has taken steps to mend the relationship with patients. I don't get this sense from many breaches.
Unfortunately the information security practices at General Internal Medicine that led to this breach are commonplace in many organizations of all sizes, in many industries.
Past Breaches:
Unknown
Posted by Evan Francen at 5/5/2008 11:35 AM 
Categories: General Internal Medicine of Lancaster, Stolen Laptop
Categories: General Internal Medicine of Lancaster, Stolen Laptop
Posts Atom 1.0
Comments