Boston Children's Hospital has notified patients of a potential breach of protected health information as a result of a stolen laptop computer. A Boston Children's Hospital staff member lost the laptop while attending a conference in Buenos Aires.
Although the laptop was password-protected the files were not encrypted. A file containing patient information had been sent to the laptop as an e-mail attachment. That file included names, medical record number, date of birth, diagnosis, procedure and date of surgery for 2,159 patients.
"Boston Children's takes this incident and the protection of protected health and personal information extremely seriously," said Daniel J. Nigrin, senior vice president for Information Services and chief information officer.
"We take great measures to ensure that protected health information is never inadvertently released, and we are undertaking additional steps to prevent breaches such as this in the future. We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and families."
Healthcare Sector Security Lax?
The only saving grace: no patient financial data or Social Security numbers were involved. Boston Children's Hospital determined that although the file was not saved to the laptop's hard drive, it was still on the laptop in the e-mail attachment at the time of the theft. After extensive review and investigation, Boston Children's staff was not able to determine whether or not the file was accessible on the laptop.
We caught up with Neil Roiter, research director at Corero Network Security, to discuss how the Boston Children's Hospital breach fits in to the larger security story. He told us the reported breach of sensitive medical records of the hospital's patients is, unfortunately, the kind of story we've been hearing all too frequently from the healthcare sector.
"There have been numerous recent cases across the country involving lost or stolen laptops, missing backup media, and poorly secured health record databases involving tens, even hundreds of thousands of records," Roiter said.
Healthcare Leads Breaches
Roiter offers several recent examples to prove his point: Health claims of 780,000 Utah residents were stolen by hackers from a poorly secured database; a laptop with 34,500 patient records from Howard University Hospital was stolen from a car; backup media containing the records of 315,000 former Emory University Hospital patients is simply missing; in South Carolina, a state employee was charged in the transfer of records of 228,000 Medicaid recipients.
Roiter said the healthcare industry lagged well behind others in securing sensitive information. Symantec reports that healthcare had by far the highest percentage of data breaches of any sector: 43 percent, compared with the next highest sectors, government (14 percent) and education (13 percent).
"Health care providers must take extreme care in the handling of sensitive data on laptops, mobile devices or removable storage of any type. As a matter of policy and procedure, they should avoid storing large numbers of records on these devices, especially if they are allowed off-premises," Roiter said.
"Laptops and other portable devices are lost or stolen with alarming frequency, and one has to wonder how many other records may be potentially at risk, waiting for a USB memory drive to be left on a coffee shop counter or a laptop forgotten in the back of a taxi at the airport."