The thief who broke into the car of an Electronic Data Systems employee in Sacramento, Calif., in April probably had no idea how much fuss would be created over the theft of the laptop computer that was lying in the trunk.
But because the computer contained personal information for more than 21,000 beneficiaries of California's Medi-Cal system, there are concerns about widespread identity theft and public confidence in electronic medical records.
"There's plenty of talk in medical circles about the benefits of electronic medical records such as patient safety, saving money and avoiding duplicate tests," said California Medical Association spokesman Peter Warren. "But one of the biggest obstacles to winning public acceptance is the public's concern that (their records) are being safeguarded."
In response to the incident, state Sen. Jackie Speier, a Democrat from the San Francisco area, has announced she will introduce legislation that would require all state agencies and their contractors to encrypt personal information stored or transported on laptop computers.
"To an identity thief, a laptop without encryption is a bank vault with the door wide open," Speier said in a news release.
In addition to identity theft, Speier's communication director, Tracy Fairchild, said there is concern about using medical records to obtain fraudulent prescriptions.
"That's potentially a direct outcome of this type of identity theft," Fairchild said. "Who knows what a thief with the right information is capable of."
California Department of Health Services spokesman Ken August said EDS contacted the department after the theft, which occurred on April 15, but the company acknowledged it didn't know exactly what information was stored on the computer. On May 16, August said EDS notified the department that it had learned that Medi-Cal beneficiary information was on the computer and, on May 19, the identities of those beneficiaries were uncovered.
Specifically, the computer held the names and Social Security numbers of 6,852 beneficiaries; the Social Security numbers without the names of 14,398 beneficiaries; and the name, address and personal health information of 74 beneficiaries, August said.
On May 26, August said letters were sent to more than 21,000 Medi-Cal beneficiaries warning them that they could be potential victims of identity theft. They also were advised to call one of three credit bureaus to place fraud alerts on their files.
In addition, August said the department is monitoring for any medical claims being entered using the beneficiary information contained on the stolen computer.
"The likelihood is low, but we have investigators checking to see if any claims have been made," August said. "So far, none have been made."
Although the information wasn't encrypted, August said a valid user ID and password were needed to access the data, so it wasn't completely unprotected. He said that, at the time of the theft, EDS had already started encrypting information on all its computers.
"The stolen computer was scheduled for encryption the week after its theft," August said. "All the company's computers have since been encrypted."