John Muir Health began notifying 5,450 patients by mail about a potential breach of their personal and health information on April 5. The notification follows the theft of two laptop computers at the John Muir Physician Network perinatal office in Walnut Creek, Calif., in February.
“The laptops were password protected and contained data in a format that would not be readily accessible. While we have no evidence that the information has been accessed or used inappropriately, we cannot rule out that possibility, and, therefore, are notifying patients to help protect their identity,” said Hala Helm, vice president, chief compliance and privacy officer for John Muir Health. “We apologize for any inconvenience or anxiety this incident may cause our patients.”
Upon discovering the theft, John Muir Health said it notified the Walnut Creek Police Department and conducted a thorough internal investigation to determine what information was stored on the laptops, whether the information could potentially be accessed and, if so, who was potentially affected. During the investigation, John Muir Health learned that the laptops contained personal health information going back more than three years.
“We initiated the notification process once we knew exactly what information was stored on the laptops and who was affected,” said Helm. “We wanted to make sure we had accurate information and could address questions from our patients.”
Because personal information is involved, John Muir Health is recommending that those impacted place a fraud alert on their credit files. Included with the notification letter to patients are detailed instructions on placing a fraud alert. John Muir Health has also arranged with Equifax to provide an identity theft protection product to help affected patients protect their identity and credit information at no cost to them for one year.
“Patient information stored on laptops at the perinatal office is now encrypted, and the laptops are locked down,” Helm added. “Encryption software is also being installed on John Muir Health laptops throughout the organization.”
In addition to the Walnut Creek Police Department, the U.S. Department of Health and Human Services has been notified of the theft and possible privacy breach.