- A lost laptop in Buenos Aires has led to Boston Children’s Hospital notifying a couple thousand patients and their families about a health data breach. While at a conference in the Argentine capital, a hospital employee misplaced a laptop containing the names birth dates, diagnoses, and treatment information of 2,159 patients. Although the laptop was password protected, it lacked any kind of encryption. The information was part of a file sent as an email attachment and doubts surround whether the file could in fact be accessed through the lost device. The Boston Globe was first to report the story, citing a hospital press release that was heretofore unavailable through the hospital’s own newsroom.
Two things are immediately disturbing about the incident:
1. Why is child patient data even on the laptop in the first place?
2. What compelled the hospital staff member to bring a device potentially containing protected health information (PHI) out of the hospital, let alone the country?
Of all healthcare providers, hospitals should show greater prudence when it comes to PHI and the privacy of their patients. Although each and every patient is entitled to the same level of security, one would hope that even greater discretion would be exercised in the case of children’s medical information.
Here’s the complete press release from Boston Children’s Hospital:
FOR IMMEDIATE RELEASE
Boston Children’s Hospital
Boston Children’s Hospital notifies patients of potential data breach
May 22, 2012 Boston, Mass. – Boston Children’s Hospital has notified patients of a potential breach of protected health information (PHI) as a result of a stolen laptop computer.
The laptop computer was in the possession of a Boston Children’s staff member attending a conference in Buenos Aires. The laptop was password protected but not encrypted. A file containing patient information had been sent to the laptop as an email attachment. The file was not deidentified and the patient information included patient name, medical record number, date of birth, diagnosis, procedure and date of surgery for 2159 patients. No patient financial data or Social Security numbers were involved. It was determined that although the file was not saved to the laptop’s hard drive, it was still on the laptop in the email attachment at the time of the theft. After extensive review and investigation, Boston Children’s staff were unable to determine whether or not the file was accessible on the laptop.
“Boston Children’s takes this incident and the protection of protected health and personal information extremely seriously,” said Daniel J. Nigrin, MD, MS, senior vice president for Information Services and Chief Information Officer. “We take great measures to ensure that Protected Health Information is never inadvertently released, and we are undertaking additional steps to prevent breaches such as this in the future. We deeply regret and apologize for any concern or inconvenience this situation may cause our patients and families.”
Patient and families have been notified of the data breach by mail. For more information, patients and families can contact the hospital with questions or concerns at 855-281-5730 (toll free) between 8 a.m. and 5 p.m. Monday through Friday.
For more information about Boston Children’s Hospital, visit: http://www.childrenshospital.org/.