Montefiore Medical Center in New York has experienced two computer thefts in recent months. Although neither incident appears on HHS’s web site of reported breaches as of the time of this posting, a statement on Montefiore Medical Center‘s web site indicates that both thefts involved computers containing sensitive personal and medical information of patients and students. The stolen computers are described as “password-protected” but there is no mention of whether there was any encryption in use:
Montefiore Medical Center has experienced two computer thefts.
During the weekend of May 22, 2010, two desktop computers were stolen from Montefiore’s Finance Department. Montefiore discovered the theft on Monday, May 24, 2010. Some patient information was stored on the computers, including patient names and medical record numbers. The patients involved are covered by Medicaid and/or Medicare, including Medicaid or Medicare Managed Care Plans. In some cases, patients’ social security numbers, dates of birth, hospital admission dates and/or insurer information was also included. No diagnoses or other medical information was contained on the computers.
After close of business on June 9, 2010, three desktop computers were stolen from Montefiore’s School Health Program Administrative Offices. The theft was discovered on June 10, 2010. Some information about students enrolled in Montefiore’s School Health Program was included on the computers.
The information on the School Health computers included students’ names, dates of birth, medical record numbers, parent or guardian contact numbers and whether a student has a social security number. No actual social security numbers were on the stolen computers. For students diagnosed with asthma, the asthma diagnosis, vaccination information and number of visits to our school health clinic were also included. No other diagnoses or other medical information regarding the students was on the stolen computers.
Each of the stolen desktops was password protected.
Montefiore is cooperating with the police investigations. Neither Montefiore nor the police has any reason to believe that the thieves are interested in, or would use, any information stored on the computer. Nevertheless, as a precautionary measure, we are notifying the affected individuals and are providing advice concerning identity protection. Medicaid and Medicare patients, and parents, guardians or students can call Montefiore representatives at Identity Force, Toll free, at 800-295-0136, to find out if they are among the individuals whose information was stored on the stolen computers.
Montefiore takes its patients’ privacy seriously, and regrets that these thefts have occurred. We are implementing additional measures to further maximize the security of patient information.
A copy of the medical center’s notification to those affected by the June incident can be found here (pdf).
Earlier this year, Montefiore also experienced the theft a laptop computer containing protected health information on 625 individuals. That theft, which occurred February 20, was reported to HHS on March 23.
Update: According to a hospital spokesperson with whom I spoke today, the Finance Department theft affected 16,000 patients, while the School Health Program theft affected 23,000 students and their families. No arrest has been made in either case yet. The hospital declined to be specific about what steps they are taking to prevent future incidents of this kind, but note that they are taking steps.
On notification letter- Why would they tell parents to watch their children’s bank accounts? Most don’t have one but if no financial information or SSN was taken, then why the caution? What aren’t we being told
I assume they’re erring on the side of caution on that. But what I want to know is how you have 5 computers stolen from offices, none of the five are reported to have been encrypted, and a 6th computer stolen earlier this year (although we don’t know from where).
Apart from the encryption issue, where is the physical security on their offices that they had these two most recent thefts? This is very worrying.
On notification letter- Why would they tell parents to watch their children’s bank accounts? Most don’t have one but if no financial information or SSN was taken, then why the caution? What aren’t we being told
I assume they’re erring on the side of caution on that. But what I want to know is how you have 5 computers stolen from offices, none of the five are reported to have been encrypted, and a 6th computer stolen earlier this year (although we don’t know from where).
Apart from the encryption issue, where is the physical security on their offices that they had these two most recent thefts? This is very worrying.
I can see how it would happen. Our finance office is in a separate building from the main hospital, and there is no one in that building at night or on weekend & holidays. Jimmy the locks on a few doors (not terribly difficult, especially if the locks are more than about 5 years old), and you suddenly have access to about 2 dozen desktop PC’s. Because the PC’s aren’t mobile devices that leave hospital property, they aren’t encrypted. Even with security making hourly rounds in the building, it wouldn’t take more than about 10 minutes for a thief to have unloaded half a dozen PC’s into the elevator and be out the door.
I’ve always maintained that anyone doing any kind of security work has to think like the people they are trying to defeat. Thus, why I can think of a scenario in which it would be that easy.
Thanks, Beth.
We’ve seen massive breaches of sensitive information from office burglaries where sensitive financial and personal information were left unencrypted. Although encrypting data at rest poses some hassles in terms of usability/convenience, given the cost of data breaches, and given that theft of computers is a significant percentage of health care sector breaches, I am frustrated that entities are not investing more in better security.
I can see how it would happen. Our finance office is in a separate building from the main hospital, and there is no one in that building at night or on weekend & holidays. Jimmy the locks on a few doors (not terribly difficult, especially if the locks are more than about 5 years old), and you suddenly have access to about 2 dozen desktop PC’s. Because the PC’s aren’t mobile devices that leave hospital property, they aren’t encrypted. Even with security making hourly rounds in the building, it wouldn’t take more than about 10 minutes for a thief to have unloaded half a dozen PC’s into the elevator and be out the door.
I’ve always maintained that anyone doing any kind of security work has to think like the people they are trying to defeat. Thus, why I can think of a scenario in which it would be that easy.
Thanks, Beth.
We’ve seen massive breaches of sensitive information from office burglaries where sensitive financial and personal information were left unencrypted. Although encrypting data at rest poses some hassles in terms of usability/convenience, given the cost of data breaches, and given that theft of computers is a significant percentage of health care sector breaches, I am frustrated that entities are not investing more in better security.