South Jersey Healthcare tells patients data stolen

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.thedailyjournal.com/article/20130102/NEWS01/301020050/South-Jersey-Healthcare-tells-patients-data-stolen

VINELAND — A laptop containing the personal information of
approximately 8,500 South Jersey Healthcare patients and others at two
out-of-state facilities has been reported stolen, hospital officials
said Wednesday.

The laptop also contained information about patients from healthcare
facilities in Michigan and Virginia.

The incident affected only certain patients treated at South Jersey
Healthcare, 99 percent of whom were either treated or scheduled for
admission at the health system’s hospitals between June 1, 2012 and
Nov. 12, 2012.

The laptop was reported stolen in another state on Nov. 14 from inside
a car belonging to an employee of Omnicell, a company that provides
automated medication dispensing services for South Jersey Healthcare,
according to a statement released by the health system on Wednesday.

Omnicell already has notified all 8,555 South Jersey Healthcare
patients and affected patients at the other hospitals by mail of the
potential data breach.

The files on the laptop, which is password protected, are believed to
contain: patient names; birth dates; patient numbers; and medical
record numbers, according to the statement.

The device did not contain patient medical records; financial; bank
account; or insurance information pertaining to any South Jersey
Healthcare patient, officials said.

Omnicell has recommended that affected patients monitor their medical
insurance statements and credit reports for any evidence of fraudulent
transactions using their identity, according to the hospital
statement.

Social Security numbers for certain patients were on the device,
although they were not readily identifiable as Social Security
numbers, the statement said.

The health system was notified of the theft on Nov. 20 by Omnicell,
according to a statement issued by Greg Potter, a spokesman for South
Jersey Healthcare.

Potter said Omnicell also notified patients of the theft after it was
reported in November. South Jersey Healthcare issued the statement
Wednesday as a precaution, he said.

Information about patients at The University of Michigan and Sentara
Health System in Virginia also were on the stolen laptop, he said.

If patients suspect any fraudulent transactions have occurred, they
should contact their local law enforcement agency or the state
attorney general, the statement said.

The laptop has not been recovered.

The files on the laptop also could contain clinical information such
as: Gender; allergies; admission date and/or discharge date; physician
name; patient type (inpatient, emergency department or outpatient);
site and area of the hospital (specific inpatient or outpatient
unit/area); room number.

Also, the names and dosages of medication as well as, frequency,
administration instructions, and start time and/or stop times for
medicine may be on the laptop, officials said.

While the laptop was password protected, the information contained was
not encrypted.

Investigators don’t believe the device was taken for the information
it contained. They also don’t believe that the information has been
accessed or used improperly, according to the statement.

As a precaution, Potter said letters have been mailed and a dedicated
call center has been established to assist the affected patients.

Omnicell will also provide credit monitoring to affected patients if
needed, as well as assistance to patients with any complaints of
possible identify theft.

Omnicell is continuing to investigate the incident and is working
closely with authorities to locate the stolen device and secure all
patient information.

In addition, Omnicell is taking steps to improve its security programs
and practices in response to this incident.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.