Laptop with Sentara patients’ data stolen [update]

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.suffolknewsherald.com/2013/01/03/laptop-with-sentara-patients-data-stolen/

Sentara Healthcare is assuring patients they are unlikely to become
fraud victims after the theft of a laptop containing the names, birth
dates and medications for about 56,000 of its patients.

The laptop belonging to Omnicell, a Sentara contractor managing
automatic pharmacy dispensing services, was stolen from an Omnicell
engineer’s locked car, Sentara spokeswoman Cheri Hinshelwood wrote in
an email.

“There were no Social Security numbers, insurance policy numbers or
personal financial information in the data set, which makes fraudulent
use unlikely,” according to Hinshelwood.

“We’d like to assure patients that medical records were not on the
device, and medical information has not been lost.”

The stolen laptop may also have contained details on gender,
allergies, admission and discharge dates, physician name and patient
type, such as whether inpatient, emergency department or outpatient.

Other information, she added, could have included site and area of the
given hospital – for instance, specific inpatient or outpatient unit
or area — room number, medication dose amount and rates, how
medication is taken — such as oral or infusion — frequency of dose and
start and/or stop time.

“Patients from seven Hampton Roads area hospitals and three outpatient
campuses were affected by this incident. All affected patients
including those from Suffolk will be receiving letters explaining the
situation,” Hinshelwood wrote.

The files on the laptop, which was actually stolen on Nov. 14, 2012,
had been collected from Omnicell’s medication dispensing cabinets over
one to three weeks, company spokesman Todd Sims wrote in an email.

The engineer, whose vehicle was parked at his home in California at
the time of the theft, had downloaded the information “while
validating pre-release software for the hospital.”

“Upon learning of the theft of the device and the involvement of
electronic protected health information, we promptly notified
Sentara,” Sims wrote.

“We are doing everything in our power to ensure these customers
experience as little disruption as possible in their delivery of
quality medical care.”
Sims called the theft an “isolated incident in violation of existing
company policies. Omnicell takes very seriously the protection of
personal health information security, and we have initiated immediate
and definitive measures to prevent a similar incident from
re-occurring.”

According to Hinshelwood, the laptop also contained information on
“thousands more (patients) from two other healthcare systems.”

Omnicell notified affected patients of the theft “in compliance with
HIPAA (the Health Insurance Portability and Accountability Act)
requirements and with an abundance of caution,” she added.

“Omnicell remains a trusted partner in pharmacy systems management and
we will continue working with them going forward.”

The letters were mailed to patients beginning this week, Hinshelwood
said, adding that anyone who does not receive a letter by Jan. 21, or
who still has concerns, can call 1-855-755-8482 and enter the
reference code 6236121712.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.