Burglary Leads to Breach

Device lacked encryption
Burglary Leads to Breach
A unencrypted laptop stolen from an employee's home has led to a breach of information on about 12,500 patients at Shands HealthCare in Gainesville, Fla.

The laptop contained the Social Security numbers of about 650 people, Shands reports. Other personal information stored on the laptop may include names, addresses, physician names, medical record numbers and abbreviated medical procedure or condition codes.

A Shands employee had downloaded the health information onto an unencrypted Shands-owned laptop at home for work-related purposes, the provider organization reported.

The employee reported the computer stolen on Jan. 27 when the employee's home was burglarized. Shands immediately notified the Gainesville Police Department and initiated an investigation into the theft. Shands also immediately launched an internal investigation.

Although Shands says it has no evidence that any of the confidential information stored on the computer has been used for fraudulent purposes, it is mailing notification letters to affected individuals this week. The letters contain "instructions about taking additional protective steps," the organization says. Shands also has posted a notice on its Web site.

The HITECH Act's breach notification rule requires providers to notify those affected by a breach within 60 days. The theft of properly encrypted information, however, does not need to be reported.

The organization says it has launched a "systemwide encryption initiative to better safeguard protected health information stored on Shands-owned computers, laptops and other portable communications devices as well as on employee-owned devices used to support Shands work."

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.