UT Physicians informs patients of data breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://healthitsecurity.com/2013/08/29/ut-physicians-informs-patients-of-data-breach/

UT Physicians, The University of Texas Health Science Center at
Houston (UTHealth) Medical School’s medical group practice, posted a
notice on Wednesday notifying patients of an Aug. 2 data breach.

The organization learned that an unencrypted laptop (attached to an
electromyography machine) with patient data had been stolen on Aug. 2
from a locked closet inside an orthopedic clinic. Though the laptop
contained names, birth dates and medical record numbers, it did not
have any addresses, Social Security numbers, insurance or other
financial information. The data included hand and arm image data from
Feb. 2010 to July 13. The laptop was last seen on July 19 and has yet
to be found. The organization offered up the boilerplate “we do not
have a reason to believe any data has been compromised” response and
added that the laptop was password protected and it thought all
devices had been encrypted:

UT Physicians does not have any reason to believe that the information
has been accessed or used by any unauthorized individual, but as a
precaution began mailing letters today to 596 patients whose
information was stored on the laptop. UT Physicians is committed to
patient privacy and deeply regrets that this incident
occurred.Encryption of all laptops has been the policy at UT
Physicians and UTHealth for the last two years. To date, all known
laptops – more than 5,000 – have been encrypted. The medical group and
UTHealth have taken steps to ensure that the missing laptop in the
orthopedic clinic is an isolated incident.

Additionally, UT Physicians and UTHealth officials said they will
continue to work with law enforcement in their investigation. In the
notification, officials said they have done a physical search of all
clinics and offices to ensure that there are no other unencrypted
laptops or storage devices attached to medical equipment. The
organization listed a few ways it plans on avoiding these types of
breaches in the future, including being more involved with medical
equipment and hardware purchases. It also plans on reviewing current
processes and encryption practices to prevent unencrypted devices from
being stolen in the future.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.