Okay, here’s a breach I never saw reported anywhere in my usual sources, until I read about it in a lawsuit. Via Courthouse News’ Joe Harris:
A hospital and cancer center allowed a laptop computer stuffed with unencrypted, confidential information on its patients to be stolen, and did not notify patients of the data theft for 8 weeks, patients say in a class action.
Named plaintiff Rita Barricks claims the laptop was stolen during the weekend of Dec. 4, 2010 from Barnes-Jewish Hospital dba The Siteman Cancer Center, a joint venture between Washington University and Barnes-Jewish Hospital.
Barricks says the computer contained patients’ names, addresses, phone numbers, birth dates, Social Security numbers, medical records, diagnoses, lab results, email addresses, insurance information and employment information.
“WashU and BJC have a policy of encrypting the sensitive information of plaintiffs,” according to the complaint City Court. “However, the stolen laptop was unencrypted and contained unencrypted sensitive information.”
Barricks claims the defendants immediately knew about the theft, but waited 8 weeks – until Jan. 28 – to inform patients.
During that time, Barricks says, her identity was stolen.
Read more on Courthouse News.
Interesting legal approach as she reportedly experienced harm because the defendants not only did not encrypt sensitive data but seemingly did not take timely steps to mitigate the risk of harm to her by notifying her promptly. Will HITECH giving entities up to 60 days to report a breach be used to defend the hospital’s delay in notifying patients?
The complaint makes for interesting reading and I wonder what will the court do with this one.
Stay tuned….