A health care group in Michigan disclosed last Tuesday that a laptop PC containing personal information on about 28,000 home-care patients had been stolen in a car theft. But the company said Thursday that it had recovered the laptop and determined that the thieves hadn't accessed the patient data.
The data on the Dell laptop was encrypted and password-protected, according to a statement from William Beaumont Hospital in Royal Oak. But the car theft, which occurred Aug. 5 in Detroit, caused particular concern among hospital officials, because the affected employee's ID access code and password were written on a piece of paper that was taped to the inside of the stolen PC.
The employee, a nurse who has since been fired, was a new worker and was still completing orientation procedures, the hospital said when it disclosed the theft. It noted that Detroit police had recovered the nurse's car without the laptop.
However, Beaumont later said that the laptop had been found after a resident of the area from which the vehicle was stolen called a hospital official and said the thief had dropped the computer while being chased on foot by someone from the neighborhood.
The system's hard drive was examined by an independent computer forensics expert, who informed Beaumont that the patient data hadn't been accessed since the theft took place.
The data included the names, addresses, birth dates, medical insurance information, Social Security numbers and some personal health records of patients who had received home-care treatment from Beaumont over the past three years. The theft of the computer wasn't related to any knowledge of its data contents, the company said, adding that the system was in a bag in the back seat of the stolen car.
Beaumont operates hospitals in Royal Oak and Troy, Mich., plus medical clinics, other facilities and the home-care service. Chris Hengstebeck, director of security at the hospital in Troy, said in a statement that Beaumont officials "are so relieved to recover the laptop so that we can put our patients' minds at rest. And we are relieved that no one's personal or medical information was accessed."
Nonetheless, the company has taken a series of internal and external actions in response to the theft. For example, Hengstebeck said in an interview that the Beaumont Home Care employees directly involved in the incident no longer work for the company. That includes the nurse and her direct managers, he said.
Beaumont also said that its IT department has reviewed and strengthened computer security systems and processes. In addition, IT staffers have inspected all the laptops used by home-care workers and are reinforcing security and password procedures with employees companywide.
Beaumont sent a letter to all of its home-care patients to notify them about the missing laptop, and it has set up a toll-free hot line and a Web site to provide information. The company also will provide a year's worth of credit-reporting services to Beaumont Home Care patients through Trans Union LLC. That offer remains in place despite the recovery of the laptop, "out of consideration for the stress and concern caused patients by the theft," Beaumont said.
The company is paying a $2,500 reward to the Detroit resident who made the phone call.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts