From the hospital’s web site today:
Notice to Patients:
Thomas Jefferson University Hospitals has notified approximately 21,000 patients that there was a theft of a laptop computer containing personal information. Affected patients have been sent a letter detailing the extensive identity protection resources being made available to them.
On June 14, 2010, an employee reported to Thomas Jefferson University Hospitals’ security personnel that his password-protected, personal laptop computer was stolen from an office in the hospital. In violation of hospital policy, the computer contained protected health information. Individuals whose records were affected received inpatient care at Thomas Jefferson University Hospitals during a six-month period in 2008. The data included name, birth date, gender, ethnicity, diagnosis, social security number, insurance information, hospital account number and other internal and administrative coding. Though the computer was password-protected, it was not hospital-issued and the information was not encrypted. To date, there has been no indication of inappropriate use of the information stored on the stolen computer.
“On behalf of everyone at Jefferson Hospitals, please accept our apologies and know that we are committed to providing assistance to the affected patients,” said Hospitals President and Chief Executive Officer Thomas J. Lewis. “Jefferson Hospitals has extensive internal policies reflecting our commitment to the appropriate use of personal health information and employees receive training on these policies annually. The storage of patient data on an employee’s unencrypted computer – even while on TJUH premises – is a breach of hospitals’ policy.”
Read more on their web site.
Great thanks to Adam Dodge of ESI for alerting me to this notice.