The laptop, which was stolen in May from the physician’s office, has not been recovered; however, law enforcement has arrested a suspect, the hospital said in a statement. The laptop contained a tracking device, which unfortunately was not activated. The hospital has employed a forensic firm to determine whether the data were compromised.
The laptop contained files that included summaries of medical information used for administrative purposes within Beth Israel, but did not contain complete medical records or patient financial information, such as social security numbers, the statement said. The stolen laptop also contained approximately 230 administrative employee records.
“We take the incident extremely seriously and have now accelerated implementation of a program to assist employees with protecting devices they purchase personally. We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and families”, said John Halamka MD, Beth Israel’s chief information officer.
Last month, Halamka launched a Summer of Compliance initiative at the hospital. In a blog kicking off the initiative, he commented, “As a CIO, it's the mounting regulatory and compliance pressures that keep me up at night. They will require a level of resources and focus that will reshape my plans for the next year or more.”
The “to-do list” that came out of workshops held in June included malware control, data loss prevention for emails sent to commercial email providers, blocking of cloud storage services, restriction of outbound internet traffic (machines sending data to unauthorized organizations), adaptive authentication, and perhaps, not coincidentally, mobile device encryption.
This is the second data breach at the hospital in a year. Last July, the hospital notified more than 2,000 patients that personal infromation was stolen from a hospital computer due to a security lapse by a computer service vendor. The vendor failed to restore security settings on the computer, which was later found to be infected with a data-stealing virus.
Commenting on the tracking capability in the stolen laptop, Mark Bower, data protection expert at Voltage Security, said that “tracking doesn't help one dime when it comes to Safe Harbor and HIPAA breach – the get out of jail card when a breach happens. With thousands of records at risk, the only real way to solve this challenge is to encrypt at the data level.”