Cedars-Sinai Reports Data Breach
By Christine Kern, contributing writer
Social Security numbers of more than 500 patients among the PHI on an unencrypted laptop that was stolen.
Despite having an organization-wide device encryption policy in place, Cedars-Sinai Medical Center in Los Angeles announced an unencrypted laptop theft that may have compromised the personal health information (PHI) of more than 500 patients.
According to the Cedars-Sinai statement on its website, “Although there is no indication of any actual or attempted unauthorized access to health information, Cedars-Sinai Health System will be notifying certain patients who have the potential to be affected by the theft of a Cedars-Sinai-issued laptop computer that may have contained some of their health information. There is no indication that the laptop contained complete medical or billing records of any patient. Remote access from this laptop to the Cedars-Sinai computer network has been terminated.”
The problem is, although the laptop was password-protected, it was not enabled with additional encryption software, a violation of Cedars-Sinai policy. Therefore, the potential exists some information may have been stored in temporary files on the laptop's hard drive at the time of the theft.
"Cedars-Sinai takes the security of our patients' health information very seriously, and has multiple security safeguards in place to protect health information," said David Blake, Cedars-Sinai's chief privacy officer. "Even a potential data security incident on a single computer, as has occurred here, is not acceptable to us. We apologize to the people affected by this incident, and have taken actions to prevent any re-occurrence."
The laptop hard drive could have held PHI such as medical record numbers, patient identification numbers, lab testing information, treatment information and diagnostic information, as well as some patient Social Security numbers. The unencrypted device, which was password-protected, was stolen from an employee’s home on June 23 and has not been recovered. Cedars-Sinai, the largest academic medical center in California, removed remote access to its network from the laptop and is notifying affected patients via letter.
“Cedars-Sinai retained independent experts in computer forensics to manually and electronically review the files that may have been on the laptop at the time of the theft and to identify any Cedars-Sinai patients whose information may have been stored on the stolen device,” the statement read. “This investigation is ongoing.”
Cedars-Sinai will begin mailing letters to those identified as being potentially affected by the incident.
The Los Angeles Times reports the technical safeguard breakdown (and policy violation) occurred when the laptop’s operating system was updated and encryption software wasn’t reinstalled. Though it doesn’t believe any patient data has been misused at this point, Cedars-Sinai recommended that patients check their credit regularly.