Lucile Packard Children’s Hospital is no stranger to stolen equipment containing PHI. In January, 2010, they self-reported a breach involving a stolen desktop computer with PHI on 532 patients, and as recently as January, they notified 57,000 patients after a laptop was stolen from a physician’s car. Now the hospital is notifying patients about another breach involving the theft of hardware with unencrypted PHI. From a statement on their web site:
Lucile Packard Children’s Hospital at Stanford is notifying patients by mail that a password-protected, non-functional laptop computer that could potentially contain limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital sometime between May 2 and May 8, 2013. This incident was reported to Packard Children’s on May 8. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement.
To date, there is no evidence that any pediatric patient data has been accessed by an unauthorized person or otherwise compromised.
What medical information was on the laptop?
The information that could potentially have been on the stolen computer related to operating room schedules, which the employee accessed as part of her work functions through Packard Children’s secure and encrypted electronic systems. The computer was password protected, but some information could have transferred to the laptop, and the laptop was not encrypted. The computer was outdated and damaged, thus on a schedule for collection by information technologists.
The information did not include financial or credit card information, nor did it contain Social Security numbers, insurance numbers or any other marketable information. The information on the operating room schedule that could have transferred to the computer would have been patient names, ages, medical record number, telephone number, scheduled surgical procedure, and name of physicians involved in the procedure over a three-year period beginning in 2009. To date, there is no evidence that any patient data has been accessed by an unauthorized person or otherwise compromised.
How many patients were potentially affected?
Out of an abundance of caution, we are providing outreach to approximately 12,900 patients, and we are assuring they are notified promptly.
When did the notifications begin?
Notifications to federal and state regulators, affected individuals and parents, and the media are under way as of June 11. Due to the law enforcement investigation, such notifications were delayed, as permitted by law, to avoid impeding the investigation.
How are potentially affected individuals being notified?
In addition to the mailed letters, a toll-free phone line has been established to answer questions for those notified. The toll-free number is (855) 683-1168, and is available Monday through Saturday from 6 a.m. to 6 p.m. PST. In addition, potentially affected individuals have been offered the option of free identity protection services.
How is the investigation proceeding?
So far, efforts to recover the computer have been unsuccessful, but the law enforcement investigation is still ongoing.
Lucile Packard Children’s Hospital strives to be an industry leader in the area of medical information security. As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data.