Dean Health System and St. Mary's Hospital reported that a personal laptop computer containing medical information of over 3,000 patients was stolen from the home of a physician on November 8, 2010. The unauthorized records kept by the physician on the personal laptop computer were violation of the Dean/St. Mary's privacy and information security policy. The health care providers did not say whether disciplinary action against the physician would be taken.
The unauthorized records did not contain the types of information needed to commit identity theft such as Social Security numbers, contact information, credit card numbers or other financial information.
The statement released on Monday said that the unsecure files kept by the physician included patient names, dates of birth, medical record numbers, diagnoses, medical procedures and possibly pathology data. Although these are not the kinds of information needed to commit identity theft, sharing of such information violates patient privacy rights under federal and state laws.
Regardless of the almost zero risk of identity theft, the medical providers have offered identity theft risk mitigation services to those patients who records were compromised through the theft of the laptop computer.
The Dean/St. Mary's public relations approach is in stark contrast to the University of Wisconsin that announced a data breach earlier this month. The UW System potentially exposed the names and Social Security numbers of 60,000 staff and students to hackers. The UW System has determinately denied victims of that breach access to identity theft risk mitigation services even though the risk of identity theft through misuse of Social Security number is extraordinarily high compared to the Dean/St. Mary's situation.
Despite the low risk of identity theft or a medical privacy violation that causes reputational, financial or emotional harm to patients, the information about the Dean Health System and the St. Mary's Hospital breach can be found easily on the home page of either health care provider. The UW data breach Webpage has been hidden from the public even though the severity of compromising 60,000 Social Security numbers is of broad local, state and national interest because former students and staff may reside anywhere in the world.
Dean spokesperson Kim Sveum indicated that any patient data stored on Dean computers is properly secured through encryption as required by the Health Insurance Portability and Accountability Act. The physician that collected patient data on his or her computer did not encrypt the data.
The UW is subject to different laws that require reasonable and appropriate information security. The 2008 revisions to the Family Educational Rights and Privacy Act (FERPA), which apply to all educational institutions that receive federal funding, require protection of student information including Social Security numbers. The law also recommends that educational institutions adopt standard security practices to protect electronic data such as data encryption.
Today data encryption is a fundamental feature in personal computer operating systems such as those based on Vista and Windows 7. Some vendors of standalone encryption programs also offer a free license for personal use, and TrueCrypt, an open source disk encryption program, is available free to anyone.
It is inexcusable and in most cases in violation of federal laws for any business or professional person to store sensitive information about them self or others without encrypting it. Both the UW System and the physician incident would have been avoided had data encryption been used.
A leading study on data breaches published in 2009 concluded that encryption would have prevented 60% of all data breaches and the compromise of over 90% of all consumer profiles reported between 2005 and 2009.
The violation of corporate privacy and information security policy by the physician may have been unavoidable. However, the risk of employee violations exemplified in the Dean/St. Mary's incident can be minimized by period mandatory education of all employees on privacy and information security policies. Employee education is one of basic tenets of privacy and security best practices.
Comparatively speaking, the Dean/St. Mary's low-risk incident was handled in an open and respectful manner compared the University of Wisconsin's handling of the egregious data breach involving tens of thousands of Social Security numbers.