Laptop Breach: A Security Reminder

University Calls Attention to Recommended Security Steps
Laptop Breach: A Security Reminder
Indiana University School of Medicine is reminding faculty, staff and residents about the importance of encryption and other information security steps after the theft of an unencrypted laptop.

The laptop containing information on about 3,200 patients was stolen Aug. 16 from the locked car of a physician who works at the school's department of surgery. The information, which the physician was using to conduct research, included patient names, ages, sex, diagnoses, medical record numbers and, in 178 cases, Social Security numbers.

The school has notified the affected patients. On Sept. 9, it posted a statement about the breach and a detailed "frequently asked questions" notice on its website. "Although patient information is supposed to be stored in ways that reduce the possibility that others will have access to it, the information downloaded to this computer was not as secure as it could be," the FAQ notice acknowledges.

The notice also points out: "The computer laptop was password protected and stored behind a locked door, but it should have been stored using encryption ... and/or the information should have been 'de-identified,' a process that removes any way to link it to an individual."

The FAQ notice also states that faculty, staff and residents "are being stringently reminded to store all institutional data on a secure network drive or encrypted drive meeting IU and IU Health partners' specifications. Further steps have been, and continue to be, taken system-wide to help administrators, faculty and staff minimize the use and retention of and access to Social Security numbers and other sensitive data. These steps include an educational campaign with personnel throughout the university to discuss appropriate ways to identify and secure sensitive data as well as providing tools to help locate and secure such data in files and systems."

More than half of the incidents on the Department of Health and Human Services' list of major health information breaches involve the theft or loss of various computer devices and media. Under the HITECH Act's breach notification rule, breaches involving electronic patient information that has been properly encrypted do not have to be reported.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network