Stanford Incident Leads Breach RoundupThefts Involved in Two Healthcare Incidents
In this week's breach roundup, Stanford Hospital & Clinics and the School of Medicine had a computer stolen from a physician's office, the organization's second incident in less than a year. Also, a thumb drive stolen from the home of an employee of Oregon Health & Science University Hospital contained information on 14,000 patients.
Stanford Notifies 2,500 of Stolen Computer
Stanford Hospital & Clinics and the School of Medicine in Palo Alto, Calif., has notified 2,500 patients that an unencrypted computer containing information about them was stolen from a physician's locked office. Just last year, Stanford reported that a business associate's subcontractor posted information about 20,000 patients on a website.
In the most recent incident, the computer contained software that detects whether the device has connected to the Internet and then determines its location. No detection has occurred yet, Stanford officials say.
The computer contained patient names, location of services and medical record numbers. Treatment history and dates of birth were included in some cases, and Social Security numbers in rarer cases. The medical center is offering all affected patients free identity protection services.
Stolen Thumb Drive Affects 14,000 Patients
Oregon Health & Science University Hospital is notifying 14,000 patients that an unencrypted USB drive containing information about them was stolen from an employee's home in July. Two hundred OHSU employees also were affected, according to a posting on OHSU's website. The employee inadvertently took the thumb drive home in a briefcase.
The incident affects pediatric patients who were screened for vision issues, OHSU says. Information on the drive includes patient name, date of birth, phone number, address, OHSU medical record number, and a one- to four-word description of the patient's medical condition or family medical history. Staff information on the drive includes name, Social Security number, address and employment-related vaccination information.
Although USB drives are never intended to leave the campus, OHSU is developing methods to ensure they're encrypted. "OHSU plans to step up these efforts in light of this incident," the university says.
Personal Info Exposed in EPA Breach
The U.S. Environmental Protection Agency experienced a data breach involving Social Security numbers and banking information of approximately 8,000 people. Most of the victims are current employees, according to the Washington Business Journal.
While the EPA isn't providing further details into the breach itself, it told the Journal that 5,100 current employees and 2,700 "other individuals" were affected by an incident that occurred in March. The breach involved personal information exposed on an EPA database. In addition to Social Security numbers, exposed information included bank routing numbers and home addresses. The EPA is offering those affected one year of free credit monitoring services, the Journal reported.
Health Department Reports Breach
An employee at the Palm Beach County Health Department in Florida was fired after creating a list of names and Social Security numbers of at least 86 patients.
The employee allegedly transcribed the information from files stored on a computer system and then packaged the information with the intent to mail it, according to a release from the department. The package was confiscated by officials.