Two laptop computers have been stolen from the cars of Providence Hospice and Home Care employees. They contained the names, addresses, social security numbers and medical records of 122 patients. A similar incident occurred last December when 365,000 patient files from a Providence affiliate were also stolen.
Two laptop computers containing private medical details of 122 Providence Hospice and Home Care patients were stolen within days of each other from the cars of hospital employees. Client names, addresses, social security numbers and the results of medical examinations have all ended up in the hands of the criminals.
As a result of the theft, 97 hospice patients and 25 people receiving home care treatment face the threat of identity theft. The details of the former group of patients were on a laptop stolen on Feb. 27, while the second laptop with the latter's details was stolen a few days later on March 3.
There is no evidence as yet to suggest that the thieves targeted the confidential information rather than the expensive computers themselves. Nevertheless, the hospital has set up a team of 15 people to notify all those affected by the data leak. Unlike many other similar cases, when it is considered sufficient to send out notification letters by post, Providence Hospice and Home Care have had to track down relatives of elderly patients and also hire interpreters to explain the dangers to some of those affected. All that, despite the fact that only 122 people are involved, could cost the organization a significant amount. All the victims have also been offered one year of free credit transaction monitoring and other safeguards against identity theft.
A Providence Hospice and Home Care spokeswoman said that encryption software has been installed on the company's 120 laptops. But that appears to be nothing more than a reaction to the laptop thefts, as the two stolen computers were not protected by encryption.
One interesting aspect of the company's IT security policy states that employees must either keep their laptops with them at all times or in a secure place. It appears that the authors of the security policy failed to emphasize just what exactly constitutes a “secure" place for storing a laptop.
The thefts are not the first time the company has been let down by its IT security policy. Last year two other laptops were stolen: in September the details of 8 hospice patients were lost as were the details of 14 home care clients in December. However, those incidents were minor compared to the theft of data tapes with information on 365,000 patients at Providence Home Services, an affiliate company, just before New Year.
“I understand that medical organizations are not specialists in IT security, but they should at least learn from their mistakes. Just how many laptop thefts and large-scale leaks have to occur? The company has already lost four computers and the leak of hundreds of thousands of records at the end of last year is, quite honestly, difficult to comprehend," says Denis Zenkin, marketing director at InfoWatch.
“It's high time the company implemented an effective IT security policy for all its affiliates. To do that they need to invite in some professionals or hire an outside organization to provide an IT security service. Otherwise, the company risks losing all its clients and ending up bankrupt," Denis Zenkin is convinced.
Source: HeraldNet