Breach Involves Laptop TheftsCalifornia health system warns 5,450 patients
The laptops were stolen in February from the John Muir Network Perinatal Office in Walnut Creek. They contained personal and health information going back more than three years.
Although the laptops were not encrypted, they were password protected and "contained data in a format that would not be readily accessible," said Hala Helm, vice president, chief compliance and privacy officer. "While we have no evidence that the information has been accessed or used inappropriately, we cannot rule out that possibility."
Many of the major breach cases tallied by the Department of Health and Human Services' Office for Civil Rights involve the theft or loss of laptops and other devices. The tally now includes about 56 breaches confirmed since September, when new reporting requirements kicked in.
Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days.
John Muir Health, which owns two hospitals, is providing those who may be affected with a free identity theft protection program from Equifax for one year. It's recommending patients place a fraud alert on their credit files.
As a result of the incident, John Muir is implementing additional safeguards, Helm says. "Patient information stored on laptops at the perinatal office is now encrypted, and the laptops are locked down," he says. "Encryption software is also being installed on John Muir Health laptops throughout the organization."
The organization is working with local law enforcement officials investigating the theft.