IU medical school reports laptop theft

Posted: September 15, 2011 - 12:30 pm ET

Tags:

The Indiana University School of Medicine may soon join more than 300 organizations on the public list of healthcare entities involved in major records breaches, after the reported theft of a physician's laptop computer.

Advertisement | View Media Kit

According to a School of Medicine news release, the Indianapolis-based medical school began sending letters to 3,192 individuals whose personal information—including name, age, diagnoses, medical record numbers and, for 178 people, Social Security number—was stored on the laptop, which belonged to a physician in the school's surgery department and was reported was stolen from a car on Aug. 16.

The letters to patients went out Sept. 2. The laptop was password-protected, but would be accessible "by a computer specialist with enough time and resources," according to the release.

The school also has posted a Web page that offers information on how affected persons can protect themselves from the possible unauthorized use of their personal information. The data, which was being used for research, involved "a specific set of patients from 1980 through 2009," according to the Web page.

The Web page says that surgery department "faculty, staff and residents are being stringently reminded to store all institutional data on a secure network drive or encrypted drive." Meanwhile, it said, further steps have been taken systemwide "to help administrators, faculty and staff minimize the use and retention of and access to" Social Security numbers and "other sensitive data."

"These steps include an educational campaign with personnel throughout the university to discuss appropriate ways to identify and secure sensitive data, as well as providing tools to help locate and secure such data in files and systems," the release noted.

Pursuant to the American Recovery and Reinvestment Act of 2009, healthcare providers responsible for breaches of personally identifiable medical records involving 500 or more patients must report those breaches promptly to the Office for Civil Rights at HHS for public posting on the office’s website.

According to the list, and recent reports to Congress, more than 30,750 breaches have been reported to the Office for Civil Rights in the past two years involving more than 12 million patients’ records.

As of Thursday morning, 314 breaches involving at least 500 records have been posted to the Office for Civil Rights’ website. In addition, the office has received more than 30,500 reports of lesser breaches, each involving fewer than 500 records, according to the reports to Congress.