Centra notifies nearly 14, 000 patients after laptop theft

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www2.godanriver.com/business/2010/dec/20/centra-notifies-nearly-14000-patients-after-laptop-ar-727732/

A laptop stolen in Georgia in November held the names and billing
information of nearly 14,000 Centra patients, the Lynchburg-based
hospital system announced Monday.

The computer files did not contain Social Security numbers or other
information that could be used in identity theft, or medical history
information, Centra officials said. The hospital system is
implementing new security measures to safeguard patient data.

“Our policy is to do everything to secure it in the best method
possible,” said Centra Director of Compliance Juan DeLeon.

The laptop was stolen north of Altanta, in Alpharetta, Ga., on Nov.
11. An employee was in Georgia for a training conference and left the
computer in the trunk of a rented car, said Centra spokeswoman Susan
Brandt.

Someone broke into the car and stole the laptop and some of the
employee’s belongings that night, Brandt said.

DeLeon said the employee notified police, but the police have not told
Centra of any progress in the investigation.

On Friday, Centra sent letters to 13,964 patients whose information
may have been stored on the laptop. That represents about 2.5 percent
of Centra’s entire patient population, Brandt said.

Federal law requires health care providers to notify patients within
60 days of data being stolen.

It took some time to determine whose information may have been on the
laptop and also to track down their addresses, since their contact
information was not included in the laptop’s files, DeLeon said.

“We certainly didn’t do it just because we’re required to do it, but
we did it because it’s the right thing to do,” he said.

The stolen laptop was password-protected, and DeLeon said it is not
likely that someone could access the files on its hard drive.

If someone did reach the file with patient data, they would not find
Social Security numbers, driver’s license numbers, addresses or phone
numbers, medical treatment information or credit card data, Brandt
said.

The file contains an internal Centra billing number, the patient’s
name, the amount being billed to an insurer, and codes that identify
the insurer.

Since the theft, Centra has reviewed privacy measures with employees,
reminding them to store patient data on Centra’s network servers, not
on individual computers, DeLeon said.

Centra already had started adding an extra layer of data encryption to
its laptops, but it has sped up that process, DeLeon said.

“We’re already almost completely done,” he said. The encryption “makes
it virtually impossible for anyone to break into the hard drive and
decipher the information without the proper credentials."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/