Speare Memorial Hospital in Plymouth (New Hampshire) is warning patients that a laptop computer with patient information was stolen last month.
Officials said the computer was in an employee’s locked car in Boston on April 3. It contained patient names, addresses, hospital account numbers, medical record numbers, and other patient and health information.
With one exception, no Social Security numbers, insurance information or credit card information was on the computer.
Okay, now that would have been bad enough – after all, what were such sensitive data doing on a laptop without encryption and then just left in an employee’s car? But the notification gets much worse from my perspective:
Hospital spokeswoman Michele Hutchins said the hospital believes the information might not be on the laptop any longer.
“Most likely this computer has been scrubbed, because the person who took it is was most interested in the hardware, but you can’t assume that,” she said.
That is just pure speculative bullshit. It is self-serving and minimizes the risk – and may mislead patients into not taking immediate and necessary steps to protect themselves.
For my money, breached entities should be be barred from making such statements.
The hospital said it immediately notified the nearly 6,000 patients affected and is working to beef up security. The employee who had the laptop has resigned.
“That management level administrator has since resigned because the confidential information was only designed to stay on the hospital’s secure server and not be saved on the hard drive of a portable computer,” said Michele Hutchins, hospital spokeswoman.
What do they mean “designed to stay on the secure server?” What prevented it from being downloaded to a portable device other than instructions to employees of “don’t do this?”
Seriously. When I read breach disclosures like this one, I really wish the government would just start handing out stiff fines.
The hospital’s statement, linked from its home page, reads:
Patients Notified of Potential Breach of Protected Health Information
Speare Memorial Hospital has been alerted that a laptop computer containing protected health information was stolen from an employee’s secured, parked automobile on April 3, 2011. The computer was password protected, however that does not afford complete protection from unauthorized access. The protected health information on the computer included patient names, and in some instances: patient addresses, hospital account numbers, medical record numbers, physician names, dates of service, procedure codes, and diagnosis codes.
Speare Memorial Hospital is fully committed to protecting all of the information that our patients have entrusted to us. Upon learning of this incident the day after, we immediately undertook a process to identify the extent of information on the computer and have sent a letter of notification to the patients affected by this potential breach. Additionally, we have engaged experts to assist us in identifying additional safeguards that would strengthen our current security measures, and a police report has been filed.
We sincerely regret this incident. Protecting our patients’ personal and health information privacy is very important to us and we will continue to do everything we can to correct this situation and fortify our security protections. We will be monitoring for any indication of misuse of patient information, and recommend that patients review their future hospital account statements closely.
Patients with questions or concerns regarding this matter should contact us at 866-331-1226 during our normal business hours Monday through Friday, or via email: [email protected]
So why does the notice say “potential breach?” THE DATA WERE STOLEN. And describing the employee’s car as “secured?” Seriously – a locked car is “secured?” Stop minimizing this, Speare.