Computer theft may have exposed patient data across five states

Computerworld - The theft of a computer from the office of an Ohio-based health care contractor on Nov. 23 has exposed sensitive data belonging to tens of thousands of patients in five health care firms across five states.

The compromised data includes the names, addresses, medical record numbers, diagnoses, treatment information and Social Security numbers of the patients. Among those affected are patients at Atlanta-based Emory Healthcare, Danville, Pa.-based Geisinger Health System and Franklin, Tenn.-based Williamson Medical Center. The names of two other health care providers affected by the burglary at Cincinnati-based Electronic Registry Systems Inc. (ERS) have not yet been released.

In an e-mailed statement, ERS said that the burglary appeared to have been part of a larger break-in that included several other offices in the same building.

"Law enforcement officials have no evidence that the theft was motivated by the intent to steal data," said ERS, which has 15 employees. The company added that it has implemented "multiple layers of security" to protect the data on the stolen computer but offered no details on what those measures include. ERS currently helps more than 300 regional hospitals, cancer centers and university hospitals manage their health care information.

A Geisinger spokesman today confirmed the compromise and said the stolen computer held data on approximately 25,000 of its patients. ERS manages a patient registry database for Geisinger and had implemented "multiple protections" on the computer such as double password and log-in protection to secure the information, Geisinger said in a statement.

"We believe that it is unlikely that the information can be retrieved from the stolen equipment," Geisinger Chief Medical Officer Bruce Hamory said in the statement.

The health system has contracted with an AIG member company to provide identity theft protection coverage for a year. Features of the coverage include expense reimbursement and services to help identity theft victims file affidavits with the U.S. Federal Trade Commission and notify affected creditors.

In a statement, an Emory spokeswoman said her company mailed letters on Dec. 20 to 36,000 patients alerting them of the incident. ERS provides cancer registry data processing services to Emory. Hospital data in the stolen computer was from Emory Hospital, Crawford Long Hospital and the Grady Memorial Hospital, the statement said.

"The registry information on the computer in question was double password-protected making it extremely difficult to access," the spokeswoman said in the statement. "This appears to be a random 'smash and grab' break-in and according to the local police investigator not a theft for purposes of stealing information off the computer."

ERS is withholding the names of the other two health care providers affected by the theft until they begin notifying patients about the compromise, a spokeswoman said.

News of the theft comes amid heightening concerns about privacy breaches involving health care data. Last September, the Government Accountability Office released a report showing that more than 40% of U.S. Medicare contractors and state Medicaid agencies experienced a security breach involving protected health information during the past two years. Similarly, 44% of Medicaid agencies, 42% of Medicare fee-for-service contractors and 38% of the contractors for the Tricare program reported similar breaches.

Read more about security in Computerworld's Security Knowledge Center.