ST. PAUL
Human error is being blamed in the theft of a laptop computer that contains the private information, including many Social Security numbers, of more than 16,000 patients at two hospital systems in the Twin Cities.
The Minneapolis-based Fairview health system sent letters Tuesday to nearly 14,000 patients after confirming that a laptop lacking certain privacy protections was stolen from a car in July.
The laptop also contained information on about 2,800 patients at the Robbinsdale-based North Memorial health system, which also sent letters to patients Tuesday.
The systems said there was no evidence that any patient information from the computer has been accessed or misused.
ADVERTISEMENT
The theft occurred in a Minneapolis restaurant parking lot, and police were investigating, Fairview officials said.
The laptop belonged to an employee of Accretive Health, a Chicago-based consulting firm that is working with both health systems.
"There is a password associated with accessing that particular device," said Lois Dahl, information privacy director for Fairview. "They assured us they have strong passwords, which means it's not something easy to get. Someone would have to use technical measures beyond the average person in order to get at the data on the device."
Fairview and Accretive Health have policies and procedures that require all laptops with patient information to be fully encrypted, Dahl said. That means someone trying to use the laptop must enter a password
to unscramble sensitive material on the computer.
But as a result of human error, the missing laptop was not encrypted, meaning the files are potentially at risk of being accessed, Fairview said.
The human error involved "bypassing a step before laptops are issued to an (Accretive) employee," Dahl said. "Accretive has assured us they fixed whatever process breakdown there was."
A spokeswoman for Accretive Health would not answer questions about the missing laptop. It wasn't clear if the employee in question was terminated or moved off the projects at Fairview and North Memorial.
ADVERTISEMENT
The theft of laptops with protected health information is a growing problem. There were about 50 such thefts reported to the federal government in 2009 and 2010, said David Roman, a spokesman for the U.S. Department of Health and Human Services.
HHS can fine hospitals in cases where federal privacy laws have been broken. The highest annual penalty is $1.5 million, Roman said.
He state attorneys general also are authorized to bring civil actions in such cases.
For Fairview patients, the stolen laptop had files containing a combination of patient names, addresses, diagnostic information and Social Security numbers.
For North Memorial patients, the laptop contained only names, medical record numbers and some clinical information.
The laptop did not contain credit card information from any patients.
"This loss of sensitive patient information is disappointing and unacceptable," Dahl said in a statement. "We do believe the overall risk of anybody accessing the data is low."
"The privacy of our patients' health information is a top priority at North Memorial," Deb Contreras, Fairview's privacy officer, said in a statement. "It is unfortunate that one of our vendors failed to meet that expectation."
ADVERTISEMENT
For Fairview, the theft is the second high-profile security breach involving patient records this year. In April, the health system notified 1,200 patients about the potential loss of information when a box with paper records went missing during the relocation of an office between Fairview buildings.
Whereas the April security breach involved a fairly distinct group of patients at Fairview Southdale, the latest problem affects patients across the system who have been treated since 2009, Dahl said.
Fairview operates clinics across the state and six acute care hospitals including University of Minnesota Medical Center, Fairview and Fairview Ridges in Burnsville.
Federal privacy laws require hospitals to notify patients about security breaches within 60 days when the problems involve health information where patients could be harmed. Fairview said it learned of the laptop theft four days after it happened; the system didn't contact patients earlier, Dahl said, because officials initially believed the computer was encrypted.
About 10 percent of Fairview employees have laptops, Dahl said, and a small percentage of those workers are allowed to carry patient information on the portable computers. As an example, she said that home care nurses bring a laptop with them during patient visits.
Accretive Health is working with Fairview on a project to better coordinate patient care in hopes of reducing costs. The workers have patient information with them on laptops because "they're really parts of our care teams in multiple sites," said Dr. Mark Werner, the chief clinical integration officer at Fairview.
"This isn't office work," Werner said. "It's work where you are engaging the clinical care team."
At North Memorial, Accretive Health is helping to "streamline its insurance, patient and billing systems," spokeswoman Wendy Jerde wrote in an email. It's a "question for Accretive," she wrote, to explain why an employee working on such a project would need patient information on a laptop.
ADVERTISEMENT
Fairview officials would not say where the theft occurred or at what time of day. A copy of the police report was not immediately available.
With its letter, Fairview was notifying affected individuals and offering free identity theft protection and fraud monitoring services. Accretive Health will pay for these services, according to Fairview.
North Memorial stressed that the laptop did not contain their patients' Social Security numbers or home addresses. The letter being sent to patients will explain how they can obtain help from North Memorial, the health system said.
Distributed by MCT Information Services
