Through the law firm of Baker & Hostetler, CHRISTUS St. John Hospital notified the New Hampshire Attorney General’s Office of a breach involving unencrypted patient information on a lost memory stick.
The Houston-based hospital learned of the September 25th incident on September 27th, but a search was unsuccessful in recovering the drive, which contained the name, date of birth, Social Security number, health insurance information, diagnoses, and progress notes on patients in the St. John Sports Medicine Program. The total number of patients whose unencrypted data were on the lost stick was not reported, and this incident, reported to New Hampshire on November 16, has not (yet) shown up on HHS’s breach tool.
A notice about the incident is also linked from the hospital’s home page. The web site notice indicates that not all patients in the program are affected, only those who were treated from January 1, 2011 to July 31, 2012.
Both the notice and the letter to New Hampshire states that “St. John has no reason to believe that any of the information has been accessed…” How would it know that? Was there some program on the stick that would call home if files were opened or the stick inserted in a computer? If not, is it misleading to suggest that there’s no reason to believe the information has been accessed if there’s also no reason to believe that it hasn’t been accessed by someone who may have found the drive? And should a hospital claim it has no reason to believe the information has been used improperly? Does it have any reason to believe it hasn’t been used improperly? Did the hospital or its lawyers run credit checks and/or any investigations that would determine whether patients’ health insurance information had been misused by others? I really wish such reassuring platitudes were impermissible absent some actual investigation or offer of proof. But that’s just my opinion.
The hospital is offering a year of free credit protection monitoring and has set up a dedicated call center for affected patients or those who have questions.
CHRISTUS St. John Hospital is part of the CHRISTUS Healthcare System. In April 2005, CHRISTUS St. Joseph Hospital in Houston reported that it was notifying 16,000 patients that a computer stolen from its business associate, Gateway File Systems, contained medical records and Social Security numbers. The theft had occurred in January 2005, and the hospital claimed that the data were encrypted. In November 2008, CHRISTUS Healthcare System reported that two backup tapes with patient information had been stolen from an unattended vehicle in Houston. I do not know whether that latter breach also affected CHRISTUS St. John Hospital patients, but their statement at the time indicated that some patients in Houston were affected, as well as patients in other parts of Texas and other states.