Omnicare Inc. of Kentucky recently notified 8,845 patients who had protected health information on a laptop that was stolen on January 19.
The firm, which provides pharmaceutical care for seniors, posted a statement on their web site for those using pharmacies in North Carolina:
On January 19, 2011, a laptop computer was stolen that contained a limited amount of the health information of the residents of certain North Carolina nursing homes and rehabilitation facilities serviced by Omnicare. Specifically, this laptop is used by a Consultant Pharmacist from Omnicare pharmacies who routinely visits these facilities to assist physicians in prescribing appropriate medication therapies.
In addition to limited amounts of health information, the laptop contained residents’ social security numbers, which were stored in a database that requires advanced technological skills and tools to access. No health insurance information was contained on the laptop.
Omnicare immediately reported the incident to the police and it is under investigation. Due to the limited type and amount of personal or health care information that can be easily accessed on the laptop, we believe that the misuse of residents’ personal or health information resulting from this incident is unlikely. To the extent possible, we have notified each of the residents personally, and are providing this notification out of an abundance of caution.
Omnicare is taking this matter very seriously and has conducted a thorough investigation. Please be assured that we continue to take all reasonable steps to mitigate the circumstances resulting from this incident and to protect the residents’ personal and health information from any potential risks in the future. To that end, and despite the fact that we feel this incident represents a low level of identity theft risk, we are offering each affected individual a year of free credit monitoring.
There is no evidence to date that residents’ personal or health information has been misused in any way. Nonetheless, we understand the concern that this situation may cause and want to provide this notification so residents can be vigilant in monitoring their financial accounts and credit reports in order to protect against the possibility of identity theft.
Under U.S. law you are entitled to one free credit report a year from these three national credit bureaus:
[…]
We are sorry for any inconvenience that this might have caused. The privacy and security of our patients’ personal and health information is a top priority at Omnicare and we remain committed to continuing to address this situation with the help of law enforcement officials.
Should you have any questions or need further information regarding this incident, please contact our representative Anita Leonard at 800-949-6337 ext 10622 or via email [email protected].
Metadata for the statement file indicates it was created on March 8, over a month after the theft.
I note that they keep saying “limited,” but they do not indicate the precise types of personal or protected health information involved in the breach other than Social Security numbers. Were patients’ diagnoses on the stolen laptop? How about the names of their medications? It would be nice to know. Nor do they indicate how the laptop was stolen. Was it stolen from the consultant pharmacist’s car or from some other location.
Similarly, it would be nice to know what they mean by requiring “advanced technological skills and tools.”
All in all, this disclosure is not as helpful or informative as it might have been.
How do corporations which lose other people’s highly personal information select legal eagles to write these damnable letters, anyway? I suspect that technical incompetence is quite literally a criterion. All too often, the corporation whose employee lost the information want to cover up the fact that the hard drive of the missing laptop was not encrypted.
“The laptop contained residents’ social security numbers, which were stored in a database that requires advanced technological skills and tools to access.”
Suggested translation: “The information was stored on the missing laptop in an Excell database, which will not be legible unless the thief has installed Excell or an open source clone (or use some other database package, and can use standard importation/translation tools to import the missing file), but the laptops files were not encrypted, so if the thief can do any of these things, he/she can easily read the information, which included social security numbers and other personally identifying information, plus highly sensitive health information which we are too frightened (of lawsuits) to describe further. And oh, we will never admit this, but Excell was installed on the missing laptop, so all the thief need do is to open the database using Excell.”
Omnicare Inc. of Kentucky: who did you think you were fooling? Residents of nursing care homes? Really? Permit to suggest a suitable sentence for the employee responsible for losing the laptop: loss of job and consignment to one of the affected nursing homes. Because knowing how to encrypt a laptop is essential for anyone running around with a laptop holding sensitive information. And no bonuses for your executives next Christmas.