Affected patients notified of stolen St. Mary's laptop

Print Print
Gina Duwe
Tuesday, October 1, 2013

JANESVILLE--More than 600 St. Mary's Janesville Hospital patients will receive a letter this week saying their medical information was potentially compromised when a hospital employee's laptop was stolen from a car.

The hospital mailed letters Monday to the 629 patients who might be affected, said Joan Neeno, director of marketing and public relations. Those patients received care in the emergency department between Jan. 1 and Aug. 26, 2013.

The hospital received the report of the stolen laptop Aug. 27.

Hospital officials have no evidence to show information on the laptop has been misused, Neeno said. Affected patients are able to opt-in for one year of free identity monitoring and protection through ID Experts, according to a news release.

Patients who do not receive a letter have not been affected, Neeno said.

Information on the laptop may have included patient name, date of birth, medical record and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results, vaccines, if administered, and medications, according to a news release.

The laptop did not contain any Social Security numbers, addresses, credit card numbers or financial information.    

“We have no reason to believe the laptop was stolen to gain access to patient information,” according to the news release.

Neeno could not comment on the circumstances of the theft but said it happened off of the hospital campus. Most hospital employees do not have laptops, and this employee was doing legitimate work with the computer, she said.

Police have no suspects in the theft, according to police reports. The laptop was stolen from a vehicle parked at a downtown apartment, and reports said the thief or thieves rummaged through the vehicle, left credit cards scattered on the floor and dropped papers and a pocket pursue with change on the ground.

The computer was configured so information could be not written to the hard drive, meaning information could only be accessed when connected to a hospital network, she said. Email was stored on the hard drive and password protected. However, the laptop was not encrypted, which was in violation of hospital policy.

“It would be challenging for someone to get into that information, but because it wasn't encrypted, it is possible,” Neeno said.

An internal audit after the theft discovered a “tiny fraction” of laptops that had missed the encryption step during setup, she said. The hospital is reviewing the breach of policy and re-educating employees and providers to ensure patient information is protected at all times, according to the news release.

“We have inspected all laptops to ensure they all have encryption software,” the news release stated. “We will actively be monitoring consistency of laptop encryption and conducting monthly audits to ensure compliance with our encryption policies.”

Print Print