MN: Fairview Health Services and North Memorial Hospital inform patients of breach due to Accretive Health's security #FAIL
Lorna Benson reports:
Fairview and North Memorial Hospitals are notifying more than 16,000 patients that a laptop containing their personal and medical information was stolen.
The laptop belonged to a healthcare services firm that coordinates services for Fairview. The theft occurred on July 25 in the parking lot of a Minneapolis restaurant.
The computer contained the names of 14,000 Fairview patients along with their addresses, dates of birth, some diagnostic information and social security numbers. Approximately 2,800 North Memorial patients were also affected, but the information on the laptop didn’t include their social security numbers or home addresses.
Read more on Minnesota Public Radio. Maura Lerner and Tony Kennedy of the Minneapolis Star Tribune add some additional details, including that Fairview was notified of the breach within days.
Not only was the laptop unencrypted – reportedly in violation of Accretive’s own policies and procedures – but their employee left the laptop in a car in a restaurant parking lot. Has the employee been fired? How often does Accretive actually audit laptops to confirm that they are properly encrypted? Accretive did not respond to requests for additional information about this incident.
I am really on the warpath about data losses due to unencrypted information being left in unattended cars. This is the second breach report today involving a laptop with unencrypted PHI being stolen from an employee’s car.
When is HHS going to start smacking some of these companies with fines for this type of easily avoidable and ridiculous breach? And if they won’t, will some state attorney general?
Although this breach will cost Accretive, who is footing the costs for free credit monitoring for those affected, there appear to be no long-term consequences for Accretive in terms of its relationship with Fairview:
Fairview’s chief clinical integration officer Dr. Mark Werner said privacy breach will not stop Fairview from exchanging patient information with Accretive Health.
“The sharing of health information is a challenge that we all face. But at the same time we need to continue to grow our capabilities of taking care of our community and our population of patients better and better,” Werner said. “And having committed strategic partners like Accretive I think is appropriate and part of that effort.”
Part of that effort should be auditing your strategic partners to ensure they are complying with your privacy and security clauses in your contract, too, no? Has Fairview done that? Will it do it now? And why did the data have to leave the premises instead of being remotely accessible to the consultant?
Yes, you are hearing disbelief and frustration. There is simply too much information needlessly leaving the reservation and more secure environments to be left in employees’ cars.
But that’s just my .02. Your mileage may vary.
Anonymous - September 28, 2011
Hm, interesting. I blogged about this story yesterday, using the Star Tribune as my source. I’ve gone back to the Tribune article, and it looks like any references to the laptop being a personal one to the employee have been removed. I know it was there as my own post centered around that particular “fact.”