New Breach: Stolen Laptop Disabled RemotelyDoctor was victim of theft in South Korea
The Massachusetts Eye and Ear Infirmary, a teaching hospital of Harvard Medical School, reports the laptop belonged to Robert Levine, M.D., a neurologist. It contained information on more than 3,500 patients he had treated between Feb. 3, 1988, and Feb. 16, 2010, as well as 68 others who were participants in a research project.
The organization notified South Korean police as well as state and federal authorities. Under the HITECH Act's breach notification rule, organizations must report breaches of unsecured health information involving more than 500 individuals to the Department of Health and Human Services and the media within 60 days.
The hospital believes that personal information on the laptop did not include Social Security numbers or credit information. The device, however, included patient names, addresses, phone numbers, dates of birth, medical records numbers and certain medical information.
The laptop, which was stolen Feb. 19, was equipped with a "LoJack for Laptops" tracking device from Absolute Software Corp., Vancouver, British Columbia. The tracking device automatically alerted Absolute on March 9 when the stolen computer was connected to the Internet in South Korea, the hospital reports.
The device determined a new operating system had been installed on the computer after the theft and confirmed software needed to access most of the information about affected patients had not been reinstalled. On April 9, once the hospital determined it was unlikely that continued monitoring would lead to the computer's retrieval, a command was sent to the tracking device disabling the hard drive and rendering all information on it unreadable.
The Boston hospital notified all individuals who could have been affected by the breach and offered them one free year of credit monitoring and identity theft insurance.
To prevent similar breaches, the hospital is encrypting its laptops that link to its computer network and educating staff about limiting the amount of data stored on the portable devices.