Health Care Firm Recovers Stolen Laptop

Computerworld -

A health care group in Michigan disclosed last Tuesday that a laptop PC containing personal information on about 28,000 home-care patients had been stolen in a car theft. But the company said Thursday that it had recovered the laptop and determined that the thieves hadn't accessed the patient data.

The data on the Dell laptop was encrypted and password-protected, according to a statement from William Beaumont Hospital in Royal Oak. But the car theft, which occurred Aug. 5 in Detroit, caused particular concern among hospital officials, because the affected employee's ID access code and password were written on a piece of paper that was taped to the inside of the stolen PC.

The employee, a nurse who has since been fired, was a new worker and was still completing orientation procedures, the hospital said when it disclosed the theft. It noted that Detroit police had recovered the nurse's car without the laptop.

However, Beaumont later said that the laptop had been found after a resident of the area from which the vehicle was stolen called a hospital official and said the thief had dropped the computer while being chased on foot by someone from the neighborhood.

The system's hard drive was examined by an independent computer forensics expert, who informed Beaumont that the patient data hadn't been accessed since the theft took place.

The data included the names, addresses, birth dates, medical insurance information, Social Security numbers and some personal health records of patients who had received home-care treatment from Beaumont over the past three years. The theft of the computer wasn't related to any knowledge of its data contents, the company said, adding that the system was in a bag in the back seat of the stolen car.

Beaumont operates hospitals in Royal Oak and Troy, Mich., plus medical clinics, other facilities and the home-care service. Chris Hengstebeck, director of security at the hospital in Troy, said in a statement that Beaumont officials "are so relieved to recover the laptop so that we can put our patients' minds at rest. And we are relieved that no one's personal or medical information was accessed."

Nonetheless, the company has taken a series of internal and external actions in response to the theft. For example, Hengstebeck said in an interview that the Beaumont Home Care employees directly involved in the incident no longer work for the company. That includes the nurse and her direct managers, he said.

Beaumont also said that its IT department has reviewed and strengthened computer security systems and processes. In addition, IT staffers have inspected all the laptops used by home-care workers and are reinforcing security and password procedures with employees companywide.

Beaumont sent a letter to all of its home-care patients to notify them about the missing laptop, and it has set up a toll-free hot line and a Web site to provide information. The company also will provide a year's worth of credit-reporting services to Beaumont Home Care patients through Trans Union LLC. That offer remains in place despite the recovery of the laptop, "out of consideration for the stress and concern caused patients by the theft," Beaumont said.

The company is paying a $2,500 reward to the Detroit resident who made the phone call.

Read more about security in Computerworld's Security Knowledge Center.