Aw, c’mon, already, dammit!
From the LSU Health Science Center, today:
New Orleans, LA – A laptop stolen from a member of the faculty of LSU Health New Orleans School of Medicine has potentially exposed the protected health information of approximately 5,000 minor patients primarily living in Louisiana and Mississippi. Dr. Christopher Roth, Assistant Professor of Urology, reported that his university-issued laptop was stolen from his car sometime between the evening hours of July 16 and the early morning hours of July 17, 2015. The car was parked in front of his home. Dr. Roth said he discovered the theft on the morning of the 17th as he was leaving to attend clinic. He reported the theft to law enforcement and the university. The laptop has not been recovered.
The information on the laptop included names, dates of birth, dates of treatment, descriptions of patients’ conditions, treatments, and outcomes, lab test results, radiological and ultrasound images, medical record numbers, and diagnosis and treatment information. No Social Security numbers, credit card, bank account information or other financial data were stored on the laptop.
When the theft was reported, the Office of Compliance at LSU Health Sciences Center New Orleans began the difficult and laborious process of trying to reconstruct the files that could have been stored on the laptop to identify any patients whose information may have been compromised. When using the laptop, the data were not saved to LSU Health Sciences Center New Orleans servers, but, instead, to the laptop’s hard drive, so the specific data stored on the laptop cannot be accessed by the university. The process to reconstruct and ready notifications took nearly eight weeks to complete. It is unknown whether any specific patient’s data were on the stolen laptop, however those patients the university suspects may have been affected will receive individual notification by mail, along with information about protecting against identity theft. While the exhaustive investigation appears to have found thousands of patients, others may remain unidentified. The university asks that patients of Dr. Roth from July 2009 to July 16, 2015, who do not receive a letter either call 504-568-8672 or toll free 1-844-578-2656 or email [email protected].
Although the university is not aware of any access or misuse of the data, patients of Dr. Roth are strongly encouraged to visit the website www.identitytheft.gov, which provides a step- by-step process to respond to, and recover from, incidents of identity theft.
The university genuinely regrets any hardships this incident may have caused. In an effort to mitigate any adverse effects arising from the theft, LSU Health Sciences Center New Orleans is offering a one year subscription to a credit monitoring service for patients affected by this breach. Affected patients who wish to take advantage of this offer or need additional information should call 504-568-8672. Those patients outside the 504 area code should call 1-844-578-2656. Questions and requests can also be sent via email to [email protected].
LSU Health Sciences Center New Orleans’ policy requires users of its SYSTEM IT infrastructure to take reasonable care to avoid allowing unauthorized access to or disclosure of protected and restricted information stored on a mobile device and prohibits users from leaving SYSTEM-owned mobile devices unattended. The policy was not adhered to in this instance, and appropriate disciplinary action will be taken at the conclusion of the investigation. In addition, the university is reviewing its information security policies and procedures to determine if improvements can be made to further reduce the risk of such a breach in the future. Any changes will be included in the information security training that all employees and students are required to complete.
________________________________________________________________________
LSU Health Sciences Center New Orleans educates Louisiana’s health care professionals. The state’s health university leader, LSU Health New Orleans includes a School of Medicine, the state’s only School of Dentistry, Louisiana’s only public School of Public Health, and Schools of Allied Health Professions, Nursing, and Graduate Studies. LSU Health New Orleans faculty take care of patients in public and private hospitals and clinics throughout the region. In the vanguard of biosciences research in a number of areas in a worldwide arena, the LSU Health New Orleans research enterprise generates jobs and enormous economic impact. LSU Health New Orleans faculty have made lifesaving discoveries and continue to work to prevent, advance treatment, or cure disease. To learn more, visit http://www.lsuhsc.edu, http://www.twitter.com/LSUHSCHealth or http://www.facebook.com/LSUHSC.
HA !! I like the last paragraph.
I think it secretly says that now that something has happened to our reputation and credibility we will now- from this point on – ensure that some things are done right. Since we do not have anything in place in respects to policy or documentation that is followed or enforced, we will attempt to use this against the violator and fail miserably. We’ll hold meetings in which we will offer many blank stares and eventually decide that an expert should be brought in to assess our sad state of affairs. Eventually over time, we will blend in with the rest of the non-policy oriented breaches.
There is no excuse. If the OS is Microsoft, there is a free encryption software included in the latest windows OS’s.
WHY do you have to have this on a laptop in the first place? There are secure thumb drives that will self destruct after a given number of failed attempts. Its a low cost solution that works great.
In any case where data is stolen from a laptop the security posture is summed up in one one. LAZINESS.
I am furious over this breach. I hope OCR looks carefully at what policies were in place, and whether they were adequate. You can say an employee violated procedures and policies, but what were they and how did you monitor for compliance?
I’m also thinking that when we see breaches like this one – laptops with #PHI left in unattended vehicles – the patients should think about filing a complaint against the doctor with the state medical licensing board as an ethics complaint or complaint about negligence in adhering to duty of confidentiality.
I’ve been in the Network Security field for over 15 years. The complacency seems to take over when people let their guard down. “hype-pathethically” speaking the doctor, probably a few times, simply forgot the laptop in the car and came out the next morning to see that all was ok the next morning. Depending on where their vehicle is parked and what type of atmosphere they are exposed to, can produce a rather high risk situation real quick.
In this day and age, the common factor of trust has left the planet for most. People are getting smarter in the way they commit crimes, and this could have been a targeted attack, a simple car door check to see if they car is unlocked by a petty thief or the Doctor could have concocted up a story, and maybe left the laptop at an eatery or bar and it was heisted. Who knows the bottom line truth.
Organizations can opt in to place recovery software on highly valuable/sensitive laptops, but they believe in the long run it is not worth it. Lets hope the crook that took the laptop simple slicks the drive and pawns it off out his trunk to some person who wont try to recover any data from it.
I think like many of the lawsuits out there, its becoming simply impossible to tie the fraudulent use of PII to a specific crime. I agree, if some one is made an example of a situation they created, then others corporations and individuals will snap their head in that direction and take notice.
I am sick of a breach containing the stereo typical “we take security very seriously”, or words to that effect. If they truly cared, the practices would be in place that would circumvent many of these type of issues.
There will be hundreds of comments across the world about situations like these, but they are often too late. =\