MN: Fairview Health Services and North Memorial Hospital inform patients of breach due to Accretive Health's security #FAIL
Lorna Benson reports:
Fairview and North Memorial Hospitals are notifying more than 16,000 patients that a laptop containing their personal and medical information was stolen.
The laptop belonged to a healthcare services firm that coordinates services for Fairview. The theft occurred on July 25 in the parking lot of a Minneapolis restaurant.
The computer contained the names of 14,000 Fairview patients along with their addresses, dates of birth, some diagnostic information and social security numbers. Approximately 2,800 North Memorial patients were also affected, but the information on the laptop didn’t include their social security numbers or home addresses.
Not only was the laptop unencrypted – reportedly in violation of Accretive’s own policies and procedures – but their employee left the laptop in a car in a restaurant parking lot. Has the employee been fired? How often does Accretive actually audit laptops to confirm that they are properly encrypted? Accretive did not respond to requests for additional information about this incident.
I am really on the warpath about data losses due to unencrypted information being left in unattended cars. This is the second breach report today involving a laptop with unencrypted PHI being stolen from an employee’s car.
When is HHS going to start smacking some of these companies with fines for this type of easily avoidable and ridiculous breach? And if they won’t, will some state attorney general?
Although this breach will cost Accretive, who is footing the costs for free credit monitoring for those affected, there appear to be no long-term consequences for Accretive in terms of its relationship with Fairview:
Fairview’s chief clinical integration officer Dr. Mark Werner said privacy breach will not stop Fairview from exchanging patient information with Accretive Health.
“The sharing of health information is a challenge that we all face. But at the same time we need to continue to grow our capabilities of taking care of our community and our population of patients better and better,” Werner said. “And having committed strategic partners like Accretive I think is appropriate and part of that effort.”
Part of that effort should be auditing your strategic partners to ensure they are complying with your privacy and security clauses in your contract, too, no? Has Fairview done that? Will it do it now? And why did the data have to leave the premises instead of being remotely accessible to the consultant?
Yes, you are hearing disbelief and frustration. There is simply too much information needlessly leaving the reservation and more secure environments to be left in employees’ cars.
But that’s just my .02. Your mileage may vary.