About 3,900 Beth Israel Deaconess Medical Center patients will be getting letters alerting them that some of their personal health information may have been breached after a physician's personal laptop computer was stolen from a hospital office.
The theft occurred May 22, hospital officials said Friday, and the stolen laptop, which contained a tracking device, has not been recovered.
Police were notified and a suspect has been arrested in the case, the officials said.
The hospital hired a national forensic firm to investigate whether data were compromised, and it has found no indication that any information has been misused, according to the hospital.
“There were no Social Security numbers, there were no complete medical records, and there were no medication lists” on the laptop, said Dr. John Halamka, Beth Israel Deaconess’s chief information officer. “There was also no financial data, and nothing that would be used from an identity theft perspective.”
Beth Israel Deaconess routinely protects information on company-issued computers by encrypting the material with software that makes it difficult to decipher, but in this case the stolen laptop was the physician’s personal device that was used for some office work.
“It’s a teachable moment,” said Halamka, who added that the experience is prompting an immediate policy change at the hospital.
“We have said to our employees that there is now a mandatory encryption program. So any device that is used in any way with our data, whether it is patient-related or administrative, it must be encrypted,” Halamka said.
“We are creating depots where employees bring in their devices and we will encrypt them on their behalf,” he said. “We will ensure that it has appropriate antivirus protection and up-to-date software patches.”
The 6,000 employees at the hospital’s Longwood-area medical campus own an estimated 1,500 personal electronic devices that might be used for work, so the process of encrypting is expected to take about three months, Halamka said.
The hospital also said it has enhanced security in office buildings and mounted a campaign to raise awareness about data security issues within the organization.
Halamka said patients will be receiving letters through the mail and will be given access to a toll-free telephone number, 855-781-0038, beginning on Monday at 9 a.m.
This is not the first data breach at Beth Israel Deaconess.
A year ago, roughly 2,000 patients were notified that their personal health information may have been compromised when a vendor failed to restore security controls on a computer following routine maintenance.
The computer, which was located in a locked room, stored patient names, hospital medical record numbers, gender, dates of birth, and the dates and names of radiology procedures for 2,021 patients. No Social Security numbers or financial data were stored on the computer.
The computer was found to be transmitting data to an unknown location, the result of being infected by a virus following the maintenance.