Georgina Gustin reports:
A Florissant orthodontist’s office has informed 10,000 people that their personal information could be compromised because of a break-in and burglary at its offices in July.
Olson & White Orthodontics, which also has offices in O’Fallon, Mo., was burglarized on July 22. Thieves took computers containing personal data, including patient health information, according to Armstrong Teasdale, the Clayton-based law firm hired by Olson & White after the break-in.
Read more in the St. Louis Post-Dispatch.
The practice has posted an FAQ about the breach on their web site. It does not provide basic details, however, such as the date of the burglary, the date the burglary was discovered, nor what specific types of unencrypted patient information were on the stolen computers. The Post-Dispatch’s report, however, which was based on a statement from the practice’s attorney, reports that the information included names, addresses, X-rays, photos and diagnostic findings, as well as the adolescent patients’ parents’ or insured parties’ names, e-mail addresses, Social Security numbers, and credit scores.
Affected patients or their parents were not offered any free credit-monitoring services, and the practice does not explain why it took over 60 days from the burglary for them to notify patients, nor whether they will encrypt all data in the future (although I would hope/expect they would).
Update: Actually, the more I look at their FAQ, the more I wonder why there’s no copy of their notification or actual notice posted on their web site, as the FAQ really doesn’t provide any of the necessary information, nor a phone number for patients to call if they have questions. Their FAQ also makes me wonder whether they have a backup of the information that was on the stolen computers, as they write:
4. WHAT PERSONAL INFORMATION ABOUT ME COULD BE ON THE STOLEN COMPUTERS?
Because the computers were stolen, we cannot answer your question with certainty. But, we have undertaken a thorough investigation, and have determined that certain information about patients and financially-responsible parties may be accessible to a determined identity thief.