North Country Hospital in Newport, Vermont posted this notice on their web site:
North Country Hospital is alerting its patients to the discovery of a recent privacy breach that may involve your personal information. On September 18, 2013, we received notice that a former employee of the Hospital claimed to be in possession of a retired laptop that contains patient health information. It is our belief that the patient health information is password protected and that this individual has access to the appropriate password(s) by virtue of his former position with the Hospital. The Hospital immediately demanded the return of the laptop, but the individual failed and refused to return it and has continued to do so.
We immediately reported this incident to federal, state and local enforcement agencies and sought their assistance to regain possession of the laptop to determine its contents and to what extent patient information is accessible on it. In particular, we sought the assistance of the Newport Police Department on September 20, 2013. We contacted the Vermont Attorney General’s Office on September 27, 2013 and the U.S. Department of Health and Human Services on September 30, 2013 to report the situation. We have also taken efforts to identify what, if any, patient health information may be contained on the laptop, which is complicated by the fact that the former employee has refused us access to the laptop.
It was our hope that through the enforcement agencies we would be able to gain access to the laptop in order to determine the exact information on the laptop and provide meaningful notice to our affected patients as expediently as possible. However, not knowing when and if we will regain possession of the laptop, we have opted to provide this Public Notice at this time.
In the course of making demands of the Hospital, the former employee provided some limited information suggesting the contents of the laptop. Based on that information, we have been able to identify individuals who may have health information that was accessed by this individual. Those individuals are receiving individualized notices that address the nature of their personal information we believe may have been stored under password protection on the laptop.
At this time, we do not have reason to believe that the former employee has used or disclosed any health information other than to make demands for monetary compensation upon the Hospital. Also, we do not at this time have any information that there was any financial information stored on the laptop, such as credit card numbers, bank account numbers or Social Security numbers.
North Country Hospital has followed established policies and procedures to prevent this former employee from gaining access to further information. All administrator-level computer system user codes and passwords that he had access to were changed, and the compromised laptop will be “locked-out” if there is an attempt to re-connect to the hospital information systems.
If you have questions or wish to learn additional information, please contact Andre Bissonnette, North Country Hospital Compliance Officer at (802) 334-3253, or via e-mail at: [email protected]
We are deeply disturbed by and apologetic about this situation, and we understand that this may be very unsettling for our patients. We sincerely apologize and regret that this situation has occurred. North Country Hospital is committed to providing quality care and to protecting your personal information and want to assure you that we are taking every step to further improve policies and procedures to protect your privacy.
The former employee, Christian Cornelius, provides a different version of events. According to WCAX:
Cornelius worked in the IT department at the hospital and says a fellow employee took a discarded computer and asked him to install a fan and hard drive.
“It’s lying around, there’s a pile with discarded laptops, you grab the one with the least scratches on it,” he said.
Cornelius says when he finally booted it up, there was more than he bargained for.
“It sat on my workbench for seven months,” he said. “I finally turned it on in September and found it was loaded with medical records and had the hard drive still in it.”
Cornelius says he immediately contacted the hospital, but his calls were ignored.
What’s not clear from the hospital’s statement or media coverage is what was supposed to happen to laptops slated to be discarded or “retired.” Were they sent to IT for secure wiping before being auctioned or sold as surplus or were they just supposed to be thrown out, or….? Were discarded laptops available to employees to just take with the hospital’s approval, or was the laptop in question removed from the premises without authorization?
Hopefully, HHS will ask.
This is not the first time we’ve seen an entity seek legal assistance in recovering devices with PHI. In the case of Kaiser Permanente and its former business associate, Surefile, the court declined to order Surefile to turn over its devices, but those were its devices, not KP’s. In this case, one wonders why a court doesn’t simply order the former employee to return what appears to be hospital property – or at the very least, turn it over to the court for secure keeping.
h/t, HealthITSecurity.com
UPDATE: Vermont Public Radio (VPR) has additional details on this case, although it’s still a he said – they said controversy.