PA: Thomas Jefferson University Hospitals Notify Patients of Security Breach

From the hospital’s web site today:

Notice to Patients:

Thomas Jefferson University Hospitals has notified approximately 21,000 patients that there was a theft of a laptop computer containing personal information. Affected patients have been sent a letter detailing the extensive identity protection resources being made available to them.

On June 14, 2010, an employee reported to Thomas Jefferson University Hospitals’ security personnel that his password-protected, personal laptop computer was stolen from an office in the hospital. In violation of hospital policy, the computer contained protected health information. Individuals whose records were affected received inpatient care at Thomas Jefferson University Hospitals during a six-month period in 2008. The data included name, birth date, gender, ethnicity, diagnosis, social security number, insurance information, hospital account number and other internal and administrative coding. Though the computer was password-protected, it was not hospital-issued and the information was not encrypted. To date, there has been no indication of inappropriate use of the information stored on the stolen computer.

“On behalf of everyone at Jefferson Hospitals, please accept our apologies and know that we are committed to providing assistance to the affected patients,” said Hospitals President and Chief Executive Officer Thomas J. Lewis. “Jefferson Hospitals has extensive internal policies reflecting our commitment to the appropriate use of personal health information and employees receive training on these policies annually. The storage of patient data on an employee’s unencrypted computer – even while on TJUH premises – is a breach of hospitals’ policy.”

Read more on their web site.

Great thanks to Adam Dodge of ESI for alerting me to this notice.

About the author: Dissent

8 comments to “PA: Thomas Jefferson University Hospitals Notify Patients of Security Breach”

You can leave a reply or Trackback this post.
  1. ihateliberals - July 27, 2010

    I am one of the patients affected by this breach in your security procedures. I am really blown away and appalled by what has transpired here. While you say my identity and credit has yet to be compromised, that is really not a comfort to me right now because this just transpired six short weeks ago. This is a blatant and clear violation of the HIPAA Privacy Laws. I do not understand how an employee can transfer all this data about patients to his own personal computer right under your noses and then OOPS it is stolen. The time period dictated in the letter in which my personal records were illegally transferred onto this employees computer was the worst and most challenging time in my life. Now on top of all the medical hurdles I have had to confront over the past few years, I have to deal with the added stress of having my most private and intimate details of my life out there waiting for someone to steal my identity. Any suggestions on how you think I should begin to deal with this?

  2. Reneemostblessed - July 29, 2010

    I have recently received a letter from the hospital, I had a personal surgery done and Iam very upset to know that someone has been able to see my personal information. I was recently in a check scam and now I am wondering if this is how my info got out- I am still paying the bank back for the lost,this gives me a errie feeling I felt so safe at Jefferson, the staff were very nice and polite-this is truly unbelievable
    why sign a Hipaa?

  3. admin - July 29, 2010

    To the two commenters above: I hope you have both contacted the special phone number they have set up to help people and have enrolled in the free services they are offering. If you recently experienced fraud, do contact them, even though it may not be possible to determine if the breach was the source of the fraud. Maybe they can help you anyway.

    I think that the question that the first commenter posed — how could someone download information to their personal computer without it being detected — is a key question in terms of security. They seemingly did not detect the download and might never have detected it or might not have detected it for a longer time had they not been notified by the employee of the theft. This is not just a matter of employee education, but one of security protocols and controls.

  4. spiritsolver - July 31, 2010

    This is in response to admin’s comment. “They” meaning administrators and management were fully aware of the data on this employee’s laptop. The employee was directed to work on this project to monitor deep vein thrombosis in patients post surgery. The info was GIVEN to him by the IT unit in order to complete the study he was assigned to do by his superiors. His superiors actually viewed the work as it was in progress, so their “disbelief” and shock it totally ludicrous!!! Really, why would an employee secretly download patient information to do a research study???? Out of the goodness of his heart???? Use your head. Jefferson’s policies are virtually non-existent. Besides the so-called breach, the hospital has had several breaches in the past and are actually noted in books on the topic. Of course these patients affected feel violated, as they should. But are they aware that this institution has NO security cameras and no one is required to sign in when visiting?? Anyone in “safe” center city Philly can walk in off the street into any patient’s room and walk out with their chart. Now how’s that for security breach?? I have posted similar info on other blogs and it has mysteriously disappeared, I’ll be interested to see if this one remains. The management needs to own up to its mistakes and stop crucifying one employee who was doing what he was told.

    • admin - July 31, 2010

      I contacted the hospital and have asked them to respond to the allegations you have made that they had knowledge that patient data were on a personal laptop, etc. Because it’s the weekend, I will not be able to get a response from them until Monday, but I will post their response on Monday.

      I am not aware of any other breaches that they’ve had, although even if they had, it wouldn’t be surprising as almost every hospital has had a number of breaches by now.

  5. spiritsolver - July 31, 2010

    I thank you admin….what I have said is all true. It’s time for the entire truth to come out.

    • cindy714 - August 2, 2010

      I’d like to thank spirtsolver and the admin for thier help in disclosing the truth. I too was violated by this AND the only reason I was an inpatient to begin with was becasue I went in for a routine colonoscopy and it was bothched. It was an experience I wish I could erase. The first thing I said when I learned of this to my frined was “I’m sure this happened right under an manager’s nose”. I’d be interested to know who was fired.

      I personally have issues with putting my personal info out there again even if it IS with an idetity theft agency. Why would I be reassured that everyone that works there is kosher. “Bonded” doesn’t reassure me either. Heartwarming to know HIPPA is worthless.

      But thanks very much for your input spiritsover and your effort admin to try to disclose the truth

      • admin - August 2, 2010

        I don’t know the truth, Cindy714, which is why I reached out to the hospital to ask them to respond. I didn’t hear from them today as I expected to, so I sent them a second request.

Comments are closed.