(original story: 8:34 p.m. on 11/04/2013): When University Hospitals hired a company to upgrade their computer systems, they probably didn't anticipate having to notify more than 7,000 of their patients that their medical records may have been exposed because of it. But that's just what happened in August after someone allegedly stole a hard drive from the car belonging to an employee of the company they hired to do the upgrades.
The Plain Dealer/Northeast Ohio Media Group/Cleveland.com reported today that University Hospitals has been mailing out letters to their patients about what happened:
UH was informed of the theft Aug. 8, and the hospital system has been determining the exact information that was on the drive since then, said hospital spokeswoman Janice Guhl.
The data came from 19 computers from physician offices. The hospital discovered that the encryption process on the stolen hard drive had not been initiated, Guhl said. Encryption is the highest level of security used to protect data on computers.
No word about why UH waited nearly three months to tell people their "confidential" information was stolen. They did not tell the paper/media group/website the name of the vendor.
Are you one of the 7,100 people who got that letter? Send it along, we'd like to see it: email@example.com.
(Update: 9:36 a.m. on 11/5/2013): A Cleveland Scene reader named Andrew was one of those 7,100 people to get the letters (dated October 31), and he sent a picture of his this morning:
This letter contains important information about your personal medical information. Please be sure to read the following in full.
It has been brought to our attention that, during a recent computer equipment upgrade, certain personal and medical information may have been exposed. This information includes: your name, medical record number, insurance provider/carrier and health information about your treatment with Doctor PRESTON MD, DAVID C.
We understand the critical importance of personal information privacy and doctor/patient confidentiality, and we sincerely apologize this lapse occurred.
As background, University Hospitals (UH) currently is upgrading its UH physicians' office computer equipment as part of our electronic medical record system implementation. UH contracted with a third-party information technology (IT) vendor to assist with this effort and, as part of the process, UH physician office computer data was backed-up on various hard drives. On August 8, 2013, we were notified that one hard drive containing backed-up UH physician office computer data was stolen out of a vehicle belonging to a vendor employee. Since that time, we have devoted considerable time and effort to determine what information may have been on that hard drive.
It is important to note that, to date, we have not received any reports that personal and medical information has been accessed or misused. It is possible that the thief may be unaware of the nature of the information in the device or may be unable to access it.
The privacy of our patients' personal and medical information is of the utmost importance to our organization, and we are deeply sorry that this has happened. In light of this incident, we are continuing to review our privacy policies and preventive measures to minimize the risk of a similar incident in the future. We are actively engaged with an independent IT security consulting firm to strengthen our protocols.
In today's day and age, it is always smart to review your credit and personal data carefully and on a regular basis. In the event it is helpful, we have provided guidance for placing a fraud alert, obtaining a free credit report and best practices in protecting your health information in the pages that follow.
Again, please know that we take the security of your personal information and confidential health information very seriously, and are committed to continually reassessing and enhancing our processes and protocols to ensure it is protected to the best of our ability. We sincerely regret any inconvenience or concern that this incident has caused you.
If you have any further questions regarding this incident, please call our toll-free number we have set up to respond to questions at (877) 220-1388. Callers will need to use reference number: 7111100213. The call center is available Monday through Friday, 9:00 a.m. to 7:00 p.m. Eastern Time.
Lisa Venn, JD, MA, CHC
Director of Privacy and Compliance Operations