Update to Ortho Montana incident (revised)

As an update to the report on a   missing laptop containing information on patients  at Ortho Montana, Ortho Montana did report the incident to HHS.  In their notification, they indicated that 37,000 patients were notified of the December 17th incident.

A statement on Ortho Montana’s site says:

Recently, we learned that a laptop belonging to one of our employees was missing. Upon learning of this matter we immediately investigated, and determined that the laptop may have had patients’ personal information within its password-protected database.

We have now completed our formal investigation.  We determined that the laptop could only be accessed  via  biometric finger scan, a unique username and password to access the computer, and a second-separate username and password to access a database that may contain patient information. The laptop did not retain any financial information, such as credit card or other payment information.  Our investigation yielded no evidence suggesting that any patient’s private data was accessed by unauthorized persons or any other instance where patients’ personal information was misused.

Okay, that sounds a bit different than what the Billings Gazette had reported, as they had reported it as stolen, and the notification says “missing.” The notification to HHS indicates theft/loss.

Somewhat disturbingly, the notice to patients does not seem to tell what kinds of information were on the stolen or missing device.  Were Social Security or Medicare numbers involved?  How about medical diagnoses and treatments?  The notice says that there was no credit card or financial data, but what was on there?

Post revised to incorporate statement from Ortho Montana and to reflect that it may not have been stolen.