Two computer thefts at Montefiore Medical Center put sensitive data at risk (update 1)
Montefiore Medical Center in New York has experienced two computer thefts in recent months. Although neither incident appears on HHS’s web site of reported breaches as of the time of this posting, a statement on Montefiore Medical Center‘s web site indicates that both thefts involved computers containing sensitive personal and medical information of patients and students. The stolen computers are described as “password-protected” but there is no mention of whether there was any encryption in use:
Montefiore Medical Center has experienced two computer thefts.
During the weekend of May 22, 2010, two desktop computers were stolen from Montefiore’s Finance Department. Montefiore discovered the theft on Monday, May 24, 2010. Some patient information was stored on the computers, including patient names and medical record numbers. The patients involved are covered by Medicaid and/or Medicare, including Medicaid or Medicare Managed Care Plans. In some cases, patients’ social security numbers, dates of birth, hospital admission dates and/or insurer information was also included. No diagnoses or other medical information was contained on the computers.
After close of business on June 9, 2010, three desktop computers were stolen from Montefiore’s School Health Program Administrative Offices. The theft was discovered on June 10, 2010. Some information about students enrolled in Montefiore’s School Health Program was included on the computers.
The information on the School Health computers included students’ names, dates of birth, medical record numbers, parent or guardian contact numbers and whether a student has a social security number. No actual social security numbers were on the stolen computers. For students diagnosed with asthma, the asthma diagnosis, vaccination information and number of visits to our school health clinic were also included. No other diagnoses or other medical information regarding the students was on the stolen computers.
Each of the stolen desktops was password protected.
Montefiore is cooperating with the police investigations. Neither Montefiore nor the police has any reason to believe that the thieves are interested in, or would use, any information stored on the computer. Nevertheless, as a precautionary measure, we are notifying the affected individuals and are providing advice concerning identity protection. Medicaid and Medicare patients, and parents, guardians or students can call Montefiore representatives at Identity Force, Toll free, at 800-295-0136, to find out if they are among the individuals whose information was stored on the stolen computers.
Montefiore takes its patients’ privacy seriously, and regrets that these thefts have occurred. We are implementing additional measures to further maximize the security of patient information.
A copy of the medical center’s notification to those affected by the June incident can be found here (pdf).
Earlier this year, Montefiore also experienced the theft a laptop computer containing protected health information on 625 individuals. That theft, which occurred February 20, was reported to HHS on March 23.
Update: According to a hospital spokesperson with whom I spoke today, the Finance Department theft affected 16,000 patients, while the School Health Program theft affected 23,000 students and their families. No arrest has been made in either case yet. The hospital declined to be specific about what steps they are taking to prevent future incidents of this kind, but note that they are taking steps.