New Breach: Stolen Laptop Disabled Remotely

Doctor was victim of theft in South Korea
New Breach: Stolen Laptop Disabled Remotely
A Boston physician had his unencrypted laptop stolen while he was visiting South Korea for a lecture. But the computer contained a tracking device that later was used to disable the hard drive, rendering information permanently unreadable.

The Massachusetts Eye and Ear Infirmary, a teaching hospital of Harvard Medical School, reports the laptop belonged to Robert Levine, M.D., a neurologist. It contained information on more than 3,500 patients he had treated between Feb. 3, 1988, and Feb. 16, 2010, as well as 68 others who were participants in a research project.

The organization notified South Korean police as well as state and federal authorities. Under the HITECH Act's breach notification rule, organizations must report breaches of unsecured health information involving more than 500 individuals to the Department of Health and Human Services and the media within 60 days.

The hospital believes that personal information on the laptop did not include Social Security numbers or credit information. The device, however, included patient names, addresses, phone numbers, dates of birth, medical records numbers and certain medical information.

Device disabled

The laptop, which was stolen Feb. 19, was equipped with a "LoJack for Laptops" tracking device from Absolute Software Corp., Vancouver, British Columbia. The tracking device automatically alerted Absolute on March 9 when the stolen computer was connected to the Internet in South Korea, the hospital reports.

The device determined a new operating system had been installed on the computer after the theft and confirmed software needed to access most of the information about affected patients had not been reinstalled. On April 9, once the hospital determined it was unlikely that continued monitoring would lead to the computer's retrieval, a command was sent to the tracking device disabling the hard drive and rendering all information on it unreadable.

The Boston hospital notified all individuals who could have been affected by the breach and offered them one free year of credit monitoring and identity theft insurance.

To prevent similar breaches, the hospital is encrypting its laptops that link to its computer network and educating staff about limiting the amount of data stored on the portable devices.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network