St. Louis, Jan. 14, 2013 — Washington University School of Medicine in St. Louis has sent letters to approximately 1,100 patients notifying them that a physician’s laptop computer containing patient information was stolen while the physician was participating in a conference in Argentina. The theft occurred Nov. 28, 2012 and the university learned of it the next day.
The laptop computer, stolen from a lecture hall, was password protected but not encrypted, a technology that scrambles computer data to make it more difficult for an unauthorized user to retrieve the information.
When the computer was reported missing, university personnel immediately launched a thorough investigation to determine what information may have been on the stolen computer’s hard drive, and that detailed review confirmed that the laptop contained patient information, including names, birth dates, medical record numbers, diagnoses, surgery dates, types of procedures, and in 39 instances, Social Security numbers. Most university patients are not affected. All of the affected individuals were patients of a Department of Surgery physician from 2002 to present. To date, the computer has not been located.
“Washington University School of Medicine takes this incident very seriously, and we are committed to protecting patients’ health and personal information,” says Sondra Hornsey, HIPAA privacy officer with the university’s Faculty Practice Plan. “We go to great lengths to ensure Protected Health Information is not inadvertently released, and we are undertaking additional steps to prevent similar occurrences. We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and their families.”
Hornsey says Washington University has no reason to believe the computer was stolen for the information it contained, but as a precautionary measure, the university is notifying affected patients and is providing call center support and identity protection services to eligible individuals. To help prevent something like this from occurring in the future, the university is expanding its use of encryption on portable devices and re-educating its workforce members regarding the importance of handling patient information securely.
The School of Medicine posted a notice about the incident on its website: http://medicine.wustl.edu/announcements/privacy_notice.