DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

PA: Thomas Jefferson University Hospitals Notify Patients of Security Breach

Posted on July 23, 2010 by Dissent

From the hospital’s web site today:

Notice to Patients:

Thomas Jefferson University Hospitals has notified approximately 21,000 patients that there was a theft of a laptop computer containing personal information. Affected patients have been sent a letter detailing the extensive identity protection resources being made available to them.

On June 14, 2010, an employee reported to Thomas Jefferson University Hospitals’ security personnel that his password-protected, personal laptop computer was stolen from an office in the hospital. In violation of hospital policy, the computer contained protected health information. Individuals whose records were affected received inpatient care at Thomas Jefferson University Hospitals during a six-month period in 2008. The data included name, birth date, gender, ethnicity, diagnosis, social security number, insurance information, hospital account number and other internal and administrative coding. Though the computer was password-protected, it was not hospital-issued and the information was not encrypted. To date, there has been no indication of inappropriate use of the information stored on the stolen computer.

“On behalf of everyone at Jefferson Hospitals, please accept our apologies and know that we are committed to providing assistance to the affected patients,” said Hospitals President and Chief Executive Officer Thomas J. Lewis. “Jefferson Hospitals has extensive internal policies reflecting our commitment to the appropriate use of personal health information and employees receive training on these policies annually. The storage of patient data on an employee’s unencrypted computer – even while on TJUH premises – is a breach of hospitals’ policy.”

Read more on their web site.

Great thanks to Adam Dodge of ESI for alerting me to this notice.

Category: Breach IncidentsHealth DataTheftU.S.

Post navigation

← (follow-up) Former UCSF employee pleads guilty to online scam
Cn: Student data bought and sold online after gaokao →

8 thoughts on “PA: Thomas Jefferson University Hospitals Notify Patients of Security Breach”

  1. ihateliberals says:
    July 27, 2010 at 8:20 pm

    I am one of the patients affected by this breach in your security procedures. I am really blown away and appalled by what has transpired here. While you say my identity and credit has yet to be compromised, that is really not a comfort to me right now because this just transpired six short weeks ago. This is a blatant and clear violation of the HIPAA Privacy Laws. I do not understand how an employee can transfer all this data about patients to his own personal computer right under your noses and then OOPS it is stolen. The time period dictated in the letter in which my personal records were illegally transferred onto this employees computer was the worst and most challenging time in my life. Now on top of all the medical hurdles I have had to confront over the past few years, I have to deal with the added stress of having my most private and intimate details of my life out there waiting for someone to steal my identity. Any suggestions on how you think I should begin to deal with this?

  2. Reneemostblessed says:
    July 29, 2010 at 3:24 pm

    I have recently received a letter from the hospital, I had a personal surgery done and Iam very upset to know that someone has been able to see my personal information. I was recently in a check scam and now I am wondering if this is how my info got out- I am still paying the bank back for the lost,this gives me a errie feeling I felt so safe at Jefferson, the staff were very nice and polite-this is truly unbelievable
    why sign a Hipaa?

  3. admin says:
    July 29, 2010 at 4:00 pm

    To the two commenters above: I hope you have both contacted the special phone number they have set up to help people and have enrolled in the free services they are offering. If you recently experienced fraud, do contact them, even though it may not be possible to determine if the breach was the source of the fraud. Maybe they can help you anyway.

    I think that the question that the first commenter posed — how could someone download information to their personal computer without it being detected — is a key question in terms of security. They seemingly did not detect the download and might never have detected it or might not have detected it for a longer time had they not been notified by the employee of the theft. This is not just a matter of employee education, but one of security protocols and controls.

  4. spiritsolver says:
    July 31, 2010 at 9:44 am

    This is in response to admin’s comment. “They” meaning administrators and management were fully aware of the data on this employee’s laptop. The employee was directed to work on this project to monitor deep vein thrombosis in patients post surgery. The info was GIVEN to him by the IT unit in order to complete the study he was assigned to do by his superiors. His superiors actually viewed the work as it was in progress, so their “disbelief” and shock it totally ludicrous!!! Really, why would an employee secretly download patient information to do a research study???? Out of the goodness of his heart???? Use your head. Jefferson’s policies are virtually non-existent. Besides the so-called breach, the hospital has had several breaches in the past and are actually noted in books on the topic. Of course these patients affected feel violated, as they should. But are they aware that this institution has NO security cameras and no one is required to sign in when visiting?? Anyone in “safe” center city Philly can walk in off the street into any patient’s room and walk out with their chart. Now how’s that for security breach?? I have posted similar info on other blogs and it has mysteriously disappeared, I’ll be interested to see if this one remains. The management needs to own up to its mistakes and stop crucifying one employee who was doing what he was told.

    1. admin says:
      July 31, 2010 at 10:18 am

      I contacted the hospital and have asked them to respond to the allegations you have made that they had knowledge that patient data were on a personal laptop, etc. Because it’s the weekend, I will not be able to get a response from them until Monday, but I will post their response on Monday.

      I am not aware of any other breaches that they’ve had, although even if they had, it wouldn’t be surprising as almost every hospital has had a number of breaches by now.

  5. spiritsolver says:
    July 31, 2010 at 2:15 pm

    I thank you admin….what I have said is all true. It’s time for the entire truth to come out.

    1. cindy714 says:
      August 2, 2010 at 5:15 pm

      I’d like to thank spirtsolver and the admin for thier help in disclosing the truth. I too was violated by this AND the only reason I was an inpatient to begin with was becasue I went in for a routine colonoscopy and it was bothched. It was an experience I wish I could erase. The first thing I said when I learned of this to my frined was “I’m sure this happened right under an manager’s nose”. I’d be interested to know who was fired.

      I personally have issues with putting my personal info out there again even if it IS with an idetity theft agency. Why would I be reassured that everyone that works there is kosher. “Bonded” doesn’t reassure me either. Heartwarming to know HIPPA is worthless.

      But thanks very much for your input spiritsover and your effort admin to try to disclose the truth

      1. admin says:
        August 2, 2010 at 7:32 pm

        I don’t know the truth, Cindy714, which is why I reached out to the hospital to ask them to respond. I didn’t hear from them today as I expected to, so I sent them a second request.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.