Greensboro, N.C.-based Moses Cone Health System recently notified 14,380 patients that some of their identifiable information was on a laptop stolen in Canton, Ga., on March 9. The delivery system is offering the patients one year of free credit monitoring services and insurance protection from CSIdentity, Austin, Texas.
The laptop was stolen along with other items from the car of an employee of VHA Clinical Specialty Services, previously known as Goodroe Healthcare Solutions, a consulting division of provider alliance VHA Inc., Irving, Texas.
Moses Cone contracts with VHA Clinical Specialty to analyze data to improve utilization of supplies without compromising the quality of care. The delivery system transmitted the data via a virtual private network to VHA, where it was downloaded to the laptop. The laptop was password-protected but data was not encrypted. The VHA consultant was authorized to bring the laptop home but should not have left it in the car, says a VHA spokesperson.
Following the March 9 theft, Moses Cone was notified about the episode by VHA on Saturday, March 14, says Lynn Matthews, compliance and privacy officer at the delivery system. Letters were sent out to patients on April 9 and local media was informed on April 13. "We wanted to tie the medial release to coincide with patients receiving the letters," Matthews says.
In response to the event, Moses Cone contracted in March with CSIdentity, got a copy of the downloaded file back from VHA, converted it back to its original format, and removed about 4,000 duplicate listings so patients wouldn't get two or more letters. Deceased patients also were identified and removed. "It was just a lot of data to turn around," Matthews says.
Identifiable information on the laptop included patient names, addresses, date-of-birth and about 6,000 Social Security numbers. Because the laptop was among several items stolen and "the data was in a format the average criminal could not access," Moses Cone officials do not believe any of the data was exposed, Matthews says. "We don't have any indication this data was used and hope patients use the credit monitoring service. We are very sorry that this happened."
Since the theft, VHA Clinical Specialty Services has changed its procedures for capturing information from hospitals, according to the VHA spokesperson. It has identified other laptops with hospital information and removed the data. Now, hospitals transmit data via the virtual private network directly into a server accessible only by authorized VHA users.
VHA is working with hospitals to determine other ways to further protect data. For instance, they are studying whether it is practical for VHA consultants to come to hospitals to do programming and analyses on a designated computer. That way, the data never leaves the hospital.
http://www.healthdatamanagement.com/
