WISH reports:
The Indiana University School of Medicine is warning thousands of people that their medical records could have been breeched after someone stole a laptop back in August.
The medical school reports the laptop, stolen Aug. 16, contained records of 3,192 individuals that included name, age, sex, diagnosis, medical record number and in 178 cases, social security numbers.
Read more on WISH.
A notice on the school’s web site, linked from their home page states:
Notice on Possible Patient Record Breach
September 9, 2011
INDIANAPOLIS — On September 2, the Indiana University School of Medicine began sending letters to 3,192 individuals that the theft of a password-protected, computer laptop may have compromised their confidential patient information. The laptop, belonging to a physician in the school’s Department of Surgery, contained information, such as name, age, sex, diagnosis, medical record number, and in 178 instances, the individual’s Social Security number. The information was being used for research purposes.Although the laptop computer was password protected, there is a possibility that the information could be accessed by a computer specialist with enough time and resources.
The disappearance of the laptop, apparently stolen from the physician’s vehicle on Tuesday, August 16, 2011, was immediately reported to law enforcement.
The IU School of Medicine is providing detailed information to those who might be affected by this incident at medicine.iu.edu/research/media-alert-faqs/, including suggestions how affected individuals may protect themselves from the possible unauthorized use of their personal information.
The IU School of Medicine and the IU Department of Surgery deeply regret this incident and are taking steps and security measures to minimize the likelihood of future incidents.
So why wasn’t IU informed of the theft until more than two weeks later? That’s not good.
According to the FAQ’s on the breach, the laptop held data on some patients going back to 1980, not all of whom may have been directly asked to permit their data to be used for research purposes. I do not mention this to suggest that IU did anything illegal, but merely to note that some people may never have consented to the researcher having their name and other information.
IU acknowledged that errors were made:
… the computer laptop was password protected and stored behind a locked door – but it should have been stored using “encryption,” a process that makes it extremely difficult for a third person to see and/or the information should have been “de-identified,” a process that removes any way to link it to an individual.
While acknowledging that errors were made, I note that IU did not offer those affected any free credit monitoring services – even, apparently, the 178 individuals whose SSN were involved.