Friday, May 28, 2010
A password-protected laptop computer containing information regarding 61,027 Cincinnati Children’s Hospital Medical Center patients from multiple states and several foreign countries has been stolen.
There has been no indication the information has been misused. Cincinnati Children’s is notifying each of the patients or their guardians by letters mailed May 28, 2010 and offering them free identity theft protection services.
The theft occurred from an employee’s vehicle parked at his residence sometime between March 27 and 29, 2010. It was reported to the Cincinnati Police.
Upon thorough investigation by the medical center, and third-party validation, Cincinnati Children’s concluded that the information on the laptop included some personal information, including names, medical record numbers, and services received. There were no social security numbers, telephone numbers or credit card information on the computer.
The information on the laptop was password protected, but it was not encrypted.
Since this event, Cincinnati Children's has strengthened its encryption practices to ensure no PC laptop computers are issued unless the encryption process is initiated. Additionally, it has improved its process for tracking the encryption of these laptops. Finally, it is committed to communicating safe electronic practices across the institution and rolling out updated training on securing and protecting patient information to all employees.
“Cincinnati Children’s is committed to providing the highest level of care for its patients and their families and that includes protecting personal information,” Michael Fisher, president and CEO, wrote in the notification letter.
Cincinnati Children’s has contracted with ID Experts, the leading provider in data breach solutions, to help patients and families affected by this incident. Services being offered include a one-year membership in theft-identity services. The membership offers:
The notification of the families, the federal department of Health and Human Services, the general public through a news release and posting on the hospital’s Web site are made pursuant to the Health Information Technology for Economic and Clinical Health Act approved in 2009.
-- 30 --