DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

North Country Hospital struggles to retrieve laptop that may contain PHI from former employee (UPDATED)

Posted on October 16, 2013 by Dissent

North Country Hospital in Newport, Vermont  posted this notice on their web site:

North Country Hospital is alerting its patients to the discovery of a recent privacy breach that may involve your personal information. On September 18, 2013, we received notice that a former employee of the Hospital claimed to be in possession of a retired laptop that contains patient health information. It is our belief that the patient health information is password protected and that this individual has access to the appropriate password(s) by virtue of his former position with the Hospital. The Hospital immediately demanded the return of the laptop, but the individual failed and refused to return it and has continued to do so.

We immediately reported this incident to federal, state and local enforcement agencies and sought their assistance to regain possession of the laptop to determine its contents and to what extent patient information is accessible on it. In particular, we sought the assistance of the Newport Police Department on September 20, 2013. We contacted the Vermont Attorney General’s Office on September 27, 2013 and the U.S. Department of Health and Human Services on September 30, 2013 to report the situation. We have also taken efforts to identify what, if any, patient health information may be contained on the laptop, which is complicated by the fact that the former employee has refused us access to the laptop.

It was our hope that through the enforcement agencies we would be able to gain access to the laptop in order to determine the exact information on the laptop and provide meaningful notice to our affected patients as expediently as possible. However, not knowing when and if we will regain possession of the laptop, we have opted to provide this Public Notice at this time.

In the course of making demands of the Hospital, the former employee provided some limited information suggesting the contents of the laptop. Based on that information, we have been able to identify individuals who may have health information that was accessed by this individual. Those individuals are receiving individualized notices that address the nature of their personal information we believe may have been stored under password protection on the laptop.

At this time, we do not have reason to believe that the former employee has used or disclosed any health information other than to make demands for monetary compensation upon the Hospital. Also, we do not at this time have any information that there was any financial information stored on the laptop, such as credit card numbers, bank account numbers or Social Security numbers.

North Country Hospital has followed established policies and procedures to prevent this former employee from gaining access to further information. All administrator-level computer system user codes and passwords that he had access to were changed, and the compromised laptop will be “locked-out” if there is an attempt to re-connect to the hospital information systems.

If you have questions or wish to learn additional information, please contact Andre Bissonnette, North Country Hospital Compliance Officer at (802) 334-3253, or via e-mail at: [email protected]

We are deeply disturbed by and apologetic about this situation, and we understand that this may be very unsettling for our patients. We sincerely apologize and regret that this situation has occurred. North Country Hospital is committed to providing quality care and to protecting your personal information and want to assure you that we are taking every step to further improve policies and procedures to protect your privacy.

The former employee, Christian Cornelius, provides a different version of events. According to WCAX:

Cornelius worked in the IT department at the hospital and says a fellow employee took a discarded computer and asked him to install a fan and hard drive.

“It’s lying around, there’s a pile with discarded laptops, you grab the one with the least scratches on it,” he said.

Cornelius says when he finally booted it up, there was more than he bargained for.

“It sat on my workbench for seven months,” he said. “I finally turned it on in September and found it was loaded with medical records and had the hard drive still in it.”

Cornelius says he immediately contacted the hospital, but his calls were ignored.

What’s not clear from the hospital’s statement or media coverage is what was supposed to happen to laptops slated to be discarded or “retired.” Were they sent to IT for secure wiping before being auctioned or sold as surplus or were they just supposed to be thrown out, or….? Were discarded laptops available to employees to just take with the hospital’s approval, or was the laptop in question removed from the premises without authorization?

Hopefully, HHS will ask.

This is not the first time we’ve seen an entity seek legal assistance in recovering devices with PHI. In the case of Kaiser Permanente and its former business associate, Surefile, the court declined to order Surefile to turn over its devices, but those were its devices, not KP’s. In this case, one wonders why a court doesn’t simply order the former employee to return what appears to be hospital property – or at the very least, turn it over to the court for secure keeping.

h/t, HealthITSecurity.com

UPDATE: Vermont Public Radio (VPR) has additional details on this case, although it’s still a he said – they said controversy.

Category: Health Data

Post navigation

← Ohio dentist pleads guilty to misuse of state's prescription monitoring system (Updated)
Insurer’s data breach lawsuit against Schnucks is terminated →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.