Laptop Breach: A Security ReminderUniversity Calls Attention to Recommended Security Steps
The laptop containing information on about 3,200 patients was stolen Aug. 16 from the locked car of a physician who works at the school's department of surgery. The information, which the physician was using to conduct research, included patient names, ages, sex, diagnoses, medical record numbers and, in 178 cases, Social Security numbers.
The school has notified the affected patients. On Sept. 9, it posted a statement about the breach and a detailed "frequently asked questions" notice on its website. "Although patient information is supposed to be stored in ways that reduce the possibility that others will have access to it, the information downloaded to this computer was not as secure as it could be," the FAQ notice acknowledges.
The notice also points out: "The computer laptop was password protected and stored behind a locked door, but it should have been stored using encryption ... and/or the information should have been 'de-identified,' a process that removes any way to link it to an individual."
The FAQ notice also states that faculty, staff and residents "are being stringently reminded to store all institutional data on a secure network drive or encrypted drive meeting IU and IU Health partners' specifications. Further steps have been, and continue to be, taken system-wide to help administrators, faculty and staff minimize the use and retention of and access to Social Security numbers and other sensitive data. These steps include an educational campaign with personnel throughout the university to discuss appropriate ways to identify and secure sensitive data as well as providing tools to help locate and secure such data in files and systems."
More than half of the incidents on the Department of Health and Human Services' list of major health information breaches involve the theft or loss of various computer devices and media. Under the HITECH Act's breach notification rule, breaches involving electronic patient information that has been properly encrypted do not have to be reported.