The Medical Center in Bowling Green, Ky., is currently notifying 5,418 patients of a breach of personal protected health information, resulting from the theft of computer equipment from its mammography suite containing information on patients who underwent bone density testing between 1997 and 2009.
At this point the provider said it had no reason to believe the device was stolen for the information on it or that any personal information has been released or used.
On April 1, the Medical Center said it discovered that the laptop had been stolen from its mammography suite. Upon learning of the theft, the facility launched an investigation of the incident, and the theft has been reported to the Bowling Green Police Department.
The facility has since discovered the data on the device included each patient’s name, date of birth, address, medical record number and physician name. Some patients’ records also included information, such as social security numbers, weight, height and menopause age. The data on the hard drive was not encrypted; however, the hard drive was maintained in a locked, non-public, private area, according to the hospital.
The Medical Center claimed to have “stringent policies and procedures in place to protect patient data and takes very seriously its obligation to safeguard the personal health information of its patients.”
As a result of this breach, steps are underway to strengthen the security of patient data. The facility said it will now archive data to a secure network, which will allow them to eliminate the need for use of a hard drive like the one that was stolen. Additionally, the Medical Center said it will ensure that we do not have any other equipment configurations that utilize a portable hard drive containing non-encrypted data.
The Kentucky hospital encouraged affected patients to take the following steps recommended by the Federal Trade Commission to prevent any possible misuse of personal information:
- Monitor accounts and bank statements each month and check credit report on a regular basis.
- Stay alert for the signs of identity theft, like:
- Accounts patients didn’t open and debts on accounts that are explainable.
- Fraudulent or inaccurate information on credit reports, including accounts and personal information, like the Social Security number, address(es), name or initials and employers.
- Failing to receive bills or other mail. Follow up with creditors if bills don’t arrive on time.
- Obtain a free copy of a credit report from each of the three major credit bureaus; or by visiting the website: https://www.annualcreditreport.com/cra/index.jsp.
The Medical Center also noted that it is following all of the requirements of the American Recovery and Reinvestment Act of 2009 and the Health IT for Economic and Clinical Health Act which includes: notification of the U.S. secretary of the Department of Health and Human Services; notification of patients who may have had their personal protected health information accessed by the breach; public disclosure to the local media; and posting information about the breach on its website.