Personal laptop with unencrypted information on UCSF Medical Center patients stolen from employee's car
The University of California San Francisco (UCSF) Medical Center issued this statement yesterday, although you’re unlikely to find it just by visiting the center’s home page:
UC San Francisco is alerting some of its patients to the theft of an employee’s laptop computer that held patient information.
The security of protected health information at UCSF is of utmost importance. While there is no evidence at this time that there has been any attempted access or attempted use of the information involved, UCSF is responding with the highest level of caution and concern.
Notification letters have been sent to the 3,541 patients whose information was contained on the laptop. The California Department of Public Health and the California Attorney General have been alerted, and federal authorities are also being notified. Additionally, a special phone line has been established to address questions from patients who receive the notification letters, and credit monitoring is being offered to some individuals.
UCSF learned on Sept. 10, 2013 that an unencrypted personal laptop computer was stolen the prior day from the locked vehicle of a UCSF Medical Center employee who works in the Division of Transplantation. Upon discovering the theft, the employee promptly alerted San Francisco police, UCSF police and UCSF officials.
UCSF immediately began an extensive technical analysis to determine what information was on the laptop. The analysis revealed that the laptop housed files containing personal and health information for some UCSF patients, including their name and medical record number. Social Security numbers were also involved for a small number of individuals.
Also stolen were paper documents for 31 patients, some of whose information was also on the laptop. Information in the paper documents included patient names, date of birth, medical record number and some health information.
Affected individuals are being alerted, and a special phone line has been set up by UCSF to provide additional assistance to those individuals.
UCSF is committed to maintaining the privacy of personal information and takes many precautions to secure that information. In response to the incident, UCSF is working to strengthen educational and operational processes to safeguard patients’ health information.[…]
A copy of the notification letter to patients was uploaded to the California Attorney General’s web site today.
This breach was reported earlier by Jeanne Price of IDradar.com. As Jeanne reports, it is not clear how many of the people whose PHI were on the laptop were transplant recipients or on a waiting list, or possible donors, etc.