On Friday, Thomas Jefferson University Hospital in Philadelphia notified 21,000 patients that a laptop computer containing their unencrypted personal data including names, birth dates, insurance information and social security numbers was stolen from an office at the hospital on June 14.
The laptop was password-protected; Still, the data could be accessed since it was not encrypted as required by the hospital. Jefferson has written letters to each of the effected patients and hired Kroll Inc. to conduct an internal investigation and provide identify theft protection and ongoing monitoring.
Jefferson’s president and chief executive, Thomas J. Lewis, urged all the patients who get the letters from him to use the individual id codes and activate the identity theft protection by Kroll.
“As upsetting it is for me, I know it is even more upsetting for the people who have gone through it and I am really sorry that they have to deal with this,” Lewis said in an interview.
Since the computer was reported missing, Lewis said the hospital has engaged in a broad review of its policies and procedures to “try to make it fool-proof that this can’t happen again at Jefferson.”
That involved fixing flaws in the system that enabled the data to be moved from the hospital’s computer system to the employee’s laptop. The employee violated hospital policy by copying the data, and would be subject to “appropriate action,” Lewis said.
He declined to go into specifics of the personnel action.
So far, Jefferson has not been notified that any of the personal information has been accessed or used inappropriately, but Lewis emphasized that it was critical for the patients to activate their Kroll identity theft protection as soon as possible.
A similar loss of private patient information occurred last December at Children’s Hospital of Philadelphia when an employee’s laptop computer containing data including social security numbers on 942 patients was stolen from a car parked at the employee’s home.
On Tuesday, Cooper University Hospital in Camden reported that a flash drive containing social security numbers, addresses and phone numbers of medical residents and fellows was missing.
“The hospital is conducting a thorough investigation and has initiated an aggressive plan to protect any personnel who could be affected by this potential security breach,” Cooper said in a statement.
The problem of personal data being lost or stolen from hospitals extends across the nation.
On July 20, South Shore Hospital in South Weymouth, Mass. reported that computer files containing 14 years of personal, health and financial information of patients, vendors, employees and others “may have been lost by a professional data management company.” An estimated 800,000 people were potentially affected by that loss.
To check out more Check Up items go to www.philly.com/checkup.
Thomas Eakins has it.— Sam Pileggi- WHY is personal patient information being kept on a laptop, and not on a server?? Idiots.— SPhillyRob
- Heads should roll.— Curmudgeon
- I work at a hospital and we are not allowed to take any patient information home as this is a HIPPA violation(Federal law governing patient privacy). People should get fired if they were the ones who took the laptops out of their work area.— Pooh
- As they say Jeff now Penn later...— MikeD930
- Again, why is personal data of any kind stored on a laptop? This is a major medical institution with a quality rep, there is no excuse at all why servers aren't used. I'd also like to know why personal data is even entered onto a personal computer. HIPPA violations are only the start with this. Whoever is responsible for the laptop should be fired, no questions, no excuses, it's just pathetic.— aisaac
- Pooh - it was stolen, not simply "taken home." That being said, everyone is right - why in the world is this info on a laptop and not properly secured??— diiianaaa
- Non-Compliance is SUICIDE.......— donnar
- i work for a company that deals specifically with DLP and HIPPA and HITECH compliance for the healthcare industry. if anyone is interested in learning about this please contact us. our information can be found at www.maas360.com— csaul475
- funny that people seem to know everything... except that it is HIPAA not HIPPA— sn11
- Jefferson is so overrated. I would never go there nor should anyone else.— Sam Pileggi
- Agree with sn11. I also agree with the other folks here who wonder why we are carrying data around on laptops. Given the establishment of web-based apps, distributed software design, and cloud computing coupled with the increasing rate of data theft, this type of information management is irresponsible. All that being said, there wasn't enough information in the article to tell whether it was a HIPAA violation. Having data all by itself on a portable device is NOT a violation.— Danno
- Maybe Lower Merion school district can find it ...— Marchus
- In the realm of risk, unmanaged possibilities become probabilities: Most breaches are due to a lagging business culture. I had to read a book as part of new employee orientation: "I.T. WARS” – author also has a blog you can Google to: “The Business-Technology Weave”. I like to pass along things that work, hoping good ideas make their way to me.— janice33rpm
Check Up is written by the staff of The Philadelphia Inquirer’s Health & Science section. It will keep you up to date on what is going on in health and medicine across the Philadelphia region.
It will provide updates on personal health as well as access to interactive datasets of area hospitals on everything from where to get different kinds of cancer care to which hospitals do the most c-sections.
Please share your own stories or just let me know what you think through comments online (it's easy to find at www.philly.com/checkup) and via e-mail to CheckUp@phillynews.com.
Guest Bloggers:
 | Follow on Twitter |
- Health News blogs:
- NYTimes.com: Well
- WSJ.com Health
- NPR.org Shots
- Inquirer Health & Science
- Medical Organizations
- Pennsylvania Medical Society
- Medical Society of New Jersey
- The ACP Advocate Blog by Bob Doherty
- Kaiser Health News
- American Medical Association
- Area hospitals
- Abington Memorial Hospital
- Aria Health
- The Chester County Hospital
- Cooper University Hospital
- Crozer-Keystone Health System
- Jefferson Health System
- Kennedy Health System
- Lourdes Health System
- Mercy Health System
- Penn Medicine
- St. Mary Medical Center
- Temple University Health System
- Tenet Healthcare
- Virtua
- New Jersey Hospital Association
- The Hospital & Healthsystem Association of Pennsylvania
- Government agencies
- Pennsylvania Department of Health
- New Jersey Department of Health and Senior Services
- U.S. Department of Health and Human Services
- Centers for Medicare & Medicaid Services
- Centers for Disease Control and Prevention
- U.S. Food and Drug Administration
- Pennsylvania Health Care Cost Containment Council
- Pennsylvania Patient Safety Authority
- Agency for Healthcare Research and Quality
- Medication and Device Safety sites:
- ECRI Institute
- Institute for Safe Medication Practices
- Consumer Medication Safety site from ISMP
- February
- January
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010