Mass. Eye and Ear Alerts Patients to Laptop Theft and Data Breach

On February 19, 2010, a laptop belonging to a physician affiliated with the Massachusetts Eye and Ear Infirmary was stolen while the physician was lecturing in South Korea. The laptop belonged to Dr. Robert Levine, a neurologist with a particular focus on ringing in the ears, or tinnitus.

To date, Mass. Eye and Ear has determined that data owned by Mass. Eye and Ear on Dr. Levine’s laptop contained demographic and health information of approximately 3,526 patients treated by Dr. Levine at Mass. Eye and Ear between February 3, 1988 and February 16, 2010, and of a small number of participants in research conducted by Dr. Levine at Mass. Eye and Ear who were not also Dr. Levine’s patients, as follows:

  • 67 participants in somatic tinnitus modulation research, and
  • One participant in pulsatile tinnitus research.

Dr. Levine reported the theft to police in South Korea. In addition, as required by law, Mass. Eye and Ear is reporting the loss of its patient and research participant information to the individuals affected, and to the appropriate state and federal authorities.

The following types of information about affected individuals associated with Mass. Eye and Ear may have been present on Dr. Levine’s laptop:

  • Name,
  • Address,
  • Telephone numbers,
  • E-mail,
  • Date of birth and age,
  • Sex,
  • Medical record numbers,
  • Dates of service,
  • Medical information, including diagnoses, symptoms, test results, and prescriptions,
  • Name and contact information for patient pharmacies, and
  • Research participant status.

In addition, four individuals’ information also included their pharmacy insurance account number.

To the best of Mass. Eye and Ear’s knowledge, Social Security numbers, financial account numbers and credit card or debit card numbers of individual associated with Mass. Eye and Ear were not present on the laptop.

Mass. Eye and Ear is sending letters to affected individuals at their last known address. The hospital has posted a notice on its website in the event that the contact information for affected individuals is out of date and to provide notice to individuals for whom Mass. Eye and Ear has no contact information.

Individuals who fit into one of the categories above, and who do not receive a letter directly from Mass. Eye and Ear, may contact the Mass. Eye and Ear Breach Response Center at 877-313-1395 to determine if they are affected.

Mass. Eye and Ear has no indication that the information on the stolen computer has actually been accessed or inappropriately used. The computer was password protected and contained a tracking device commonly referred to as “LoJack.” The tracking device contacted LoJack on March 9 when the stolen computer was connected to the internet in South Korea. LoJack was able to monitor the computer’s configuration and on-line use, and determined that:

  • A new operating system was installed on the computer following the theft, and
  • Software needed to access most of the information about affected Mass. Eye and Ear individuals had not been reinstalled.

On April 9 it was determined that it was unlikely that continued monitoring of the computer would lead to its retrieval, and a command was sent by LoJack to the computer permanently disabling the hard drive and rendering any information, including information about affected Mass. Eye and Ear individuals contained on the hard drive, permanently unreadable.

Despite the result of the tracking and destruction noted above, Mass. Eye and Ear is unable to know whether the information about affected Mass. Eye and Ear individuals on the computer was accessed between the date of the theft and March 9.

Should information have been inappropriately accessed, Mass. Eye and Ear does not believe that the information on the laptop regarding the affected Mass. Eye and Ear individuals presents a risk of financial identity theft. It is possible, however, that someone may be able to learn about affected Mass. Eye and Ear individuals’ medical care from the stolen data, and affected individuals may have a risk that someone may attempt to use that information to impersonate them in order to obtain medical care or medications in their name.

In order to protect affected Mass. Eye and Ear individuals, Mass. Eye and Ear is providing information on precautions that they can take to protect themselves against medical identity theft, and has arranged to provide them with one free year of credit monitoring, identity theft insurance and restoration services.

In order to prevent similar breaches from occurring in the future, Mass. Eye and Ear is updating its information security program, including, but not limited to, taking the following specific actions:

  • Deploying encryption to laptop computers that connect to Mass. Eye and Ear’s computer network, and
  • Providing education to Mass. Eye and Ear staff regarding limiting the amount of data stored on laptop computers.

Mass. Eye and Ear continues its investigation into the information on the stolen computer to determine whether there could be information about additional individuals associated with Mass. Eye and Ear that has not yet been detected. Should additional information be discovered, Mass. Eye and Ear will provide additional notices as appropriate.

“Mass. Eye and Ear apologizes to those affected for any concern, inconvenience, or risk that this incident may cause,” said John Fernandez, Mass. Eye and Ear president and CEO. “We regret that this incident occurred and are taking appropriate steps to protect individuals associated with Mass. Eye and Ear who may have been affected by this breach and to limit or prevent where possible such breaches in the future.”

Source: Mass. Eye and Ear

About the author: Dissent