Here’s yet another case involving a missing (presumed stolen) laptop with unencrypted PHI that was used with a medical device, but seemingly not physically secured enough. This breach involves the Riverside County Regional Medical Center. I recently reported a similar type of breach at a VA medical center in Denver.
The following statement was posted on the hospital’s website today:
Hospital Patients Notified That Missing Laptop Contained Their Personal Information
Law enforcement investigating laptop computer missing from Riverside County Regional Medical CenterRIVERSIDE COUNTY, Ca. – Riverside County Regional Medical Center (RCRMC) has notified 563 patients that some of their personal data may have been compromised after a laptop computer was reported missing from a hospital procedure room late last week.
Riverside County Sheriff deputies are investigating the missing computer and reviewing footage from hospital security cameras in an effort to recover the computer.
The laptop contained the names, birth dates, medical record numbers, and test results for patients who recently had an electromyogram, a study that measures the electrical activity of muscles while at rest. No social security or credit card numbers, insurance information, or addresses were kept on the laptop. No other hospital computer systems were compromised.
Jan Remm, the assistant hospital administrator who oversees regulatory compliance, said RCRMC has mailed notification letters out to each of the affected patients. A toll-free phone line has been established so patients can contact hospital representatives with any concerns or questions. Patients may call 1-877-500-1255.
“Protecting sensitive patient information is a golden rule in healthcare,” Remm said. “We apologize for the inconvenience this incident has caused our patients. Right now, we are focused on minimizing current and future impacts.”
Remm said RCRMC is taking steps to minimize the risk of future incidents, by:
- Encrypting sensitive patient data
- Using locks to secure laptops to carts
- Developing advanced security access in areas where sensitive patient information is stored
Remm said hospital officials know each patient name in the stolen laptop. She encouraged any patient who believes they might be impacted by the incident to contact RCRMC immediately.
“We have no reason to believe the computer is missing because of the patient information it contained,” Remm said. “But, our job is to safeguard our patients’ privacy and that’s what we are focused on doing.”
RCRMC, located in Moreno Valley, was established in 1893 as Riverside County’s general hospital. The hospital and its clinics provide nearly half a million inpatient and outpatient visits annually.
(h/t, The Press-Enterprise)
I used to work for RCRMC IT and I’ve notified my CIO and CTO numerous times about encrypting any of our mobile devices. while I was there IT have started to put a password lock “BIOS security” but this does not fix the data being vulnerable, As you see still noting has been done to make this effort.
The IT dept. here in RCRMC is very un organized its not even funny “Typical county worker” ..
The end of the day we all know as an Healthcare IT patient care is always our number 1 propriety and to make sure our data is secure and protected. Jim Sander (ITO – “Security officer”) take this and own it! make the change now..