Computer theft may have exposed patient data across five states
Tens of thousands of people could be affected
January 4, 2007 12:00 PM ETComputerworld - The theft of a computer from the office of an Ohio-based health care contractor on Nov. 23 has exposed sensitive data belonging to tens of thousands of patients in five health care firms across five states.
The compromised data includes the names, addresses, medical record numbers, diagnoses, treatment information and Social Security numbers of the patients. Among those affected are patients at Atlanta-based Emory Healthcare, Danville, Pa.-based Geisinger Health System and Franklin, Tenn.-based Williamson Medical Center. The names of two other health care providers affected by the burglary at Cincinnati-based Electronic Registry Systems Inc. (ERS) have not yet been released.
In an e-mailed statement, ERS said that the burglary appeared to have been part of a larger break-in that included several other offices in the same building.
"Law enforcement officials have no evidence that the theft was motivated by the intent to steal data," said ERS, which has 15 employees. The company added that it has implemented "multiple layers of security" to protect the data on the stolen computer but offered no details on what those measures include. ERS currently helps more than 300 regional hospitals, cancer centers and university hospitals manage their health care information.
A Geisinger spokesman today confirmed the compromise and said the stolen computer held data on approximately 25,000 of its patients. ERS manages a patient registry database for Geisinger and had implemented "multiple protections" on the computer such as double password and log-in protection to secure the information, Geisinger said in a statement.
"We believe that it is unlikely that the information can be retrieved from the stolen equipment," Geisinger Chief Medical Officer Bruce Hamory said in the statement.
The health system has contracted with an AIG member company to provide identity theft protection coverage for a year. Features of the coverage include expense reimbursement and services to help identity theft victims file affidavits with the U.S. Federal Trade Commission and notify affected creditors.
In a statement, an Emory spokeswoman said her company mailed letters on Dec. 20 to 36,000 patients alerting them of the incident. ERS provides cancer registry data processing services to Emory. Hospital data in the stolen computer was from Emory Hospital, Crawford Long Hospital and the Grady Memorial Hospital, the statement said.
"The registry information on the computer in question was double password-protected making it extremely difficult to access," the spokeswoman said in the statement. "This appears to be a random 'smash and grab' break-in and according to the local police investigator not a theft for purposes of stealing information off the computer."
ERS is withholding the names of the other two health care providers affected by the theft until they begin notifying patients about the compromise, a spokeswoman said.
News of the theft comes amid heightening concerns about privacy breaches involving health care data. Last September, the Government Accountability Office released a report showing that more than 40% of U.S. Medicare contractors and state Medicaid agencies experienced a security breach involving protected health information during the past two years. Similarly, 44% of Medicaid agencies, 42% of Medicare fee-for-service contractors and 38% of the contractors for the Tricare program reported similar breaches.
Electronic Registry Systems
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
