Posted by security, a resident of the Adobe-Meadows neighborhood, on Jan 21, 2013 at 10:25 am

Was the data encrypted as well as password protected? Passwords only protect you from casual theft. Private data needs to be encrypted as well.

Posted by Wondering?, a resident of Another Palo Alto neighborhood, on Jan 21, 2013 at 12:46 pm

> "As a result of this incident, we are taking additional steps to

> further strengthen our policies and controls surrounding the

> protection of patient data,

Isn't this the same thing Stanford Medical IT officials said the last time this happened? Clearly not releasing personal information in data that is going to be used by researchers does not seem to be something that they can do, or believe needs to be done. Or encrypting that information. Certainly internal ID numbers can be used to relate encrypted data to contact information kept on supposedly secure servers (which also should be encrypted).

Stanford IT people clearly understand that issuing a press release is a lot less work than coming up with a security regime for patient data that actually works.

Posted by former packard nurse, a resident of the Charleston Gardens neighborhood, on Jan 21, 2013 at 12:51 pm

so why was it left in the car?

Posted by legality, a resident of the Embarcadero Oaks/Leland neighborhood, on Jan 21, 2013 at 1:07 pm

This needs to be a law. So much effort into HIPPA measures, yet it's ok to keep personal info on a laptop that then leaves the security of the workplace. My law: If you have confidential personal info regarding clients on a laptop, that laptop stays at work. It doesn't belong in your car while you go eat or shop. With identity theft on the rise and quite a pain (financially and otherwise) for those who have been victimized, this should not be allowed!

Companies place security measures on protecting their own proprietary info, yet the clients are left on their own....

Posted by MM, a resident of Another Palo Alto neighborhood, on Jan 21, 2013 at 1:34 pm

My spouse's workplace contacted us and said a laptop with employee personal data had been stolen -- like you, I can't believe a laptop with that info would leave the workplace! Now they're required to have encrypted data, and almost no one (even those who don't have any personnel info) is allowed to take laptops home!

Password protection means nothing. All you have to do is boot the computer in target mode and take the data (or whatever the pc filesharing equivalent is). Security is right, if the data isn't encrypted, the password isn't going to protect the data from even a casual thief.

People should be aware that their medical information isn't well protected anyway -- unless of course, a patient wants to collect all of it for their own records, then it's a real slog.

Posted by Estupido, a member of the Palo Alto High School community, on Jan 21, 2013 at 3:07 pm

That was really stupid of someone to leave it in a car! My husband left his in the covered hatchback of his locked car, and when he returned half an hour later, it was gone, and the hatchback was open.

The police said that crooks now have technology to capture the lock signal from your electronic key when you lock your car, so they no longer have to smash the windows to break into a locked car.

The advice from the Santa Clara PD: always, always take your laptop, phone, or tablet with you, even for two minutes!

Posted by palo alto mom, a resident of the Embarcadero Oaks/Leland neighborhood, on Jan 21, 2013 at 4:02 pm

Ironic that we are blocked from accessing online info for our own children if they are 14-17, yet a physician can bring it home on his laptop!

Posted by Bob, a resident of the Midtown neighborhood, on Jan 21, 2013 at 6:01 pm

Laptops with personal information on them need to have full disk encryption (FDE). That is, the whole disk needs to be encrypted. Logins passwords are not adequate to protect this kind of data. FDE is available from several vendors.

I would think that Lucile Packard Children's Hospital is liable for not having the laptop encrypted.

Posted by Stanford Patient, a resident of Stanford, on Jan 22, 2013 at 6:58 pm

I called the Stanford Privacy office and they REFUSED to explain why patient data was on a laptop, who the physician was (male, but all they would say), and what he was doing with private data. The guy even went so far as to say that he knew the physician was "authorized" to have the data, but then backtracked and said that he had no idea who the laptop belonged to, or why info was on it, or what that physician was doing with it. But we're supposed to take his word that whomever had the data was "authorized." This is so unacceptable.

Posted by concerned about Stanford, a resident of the Old Palo Alto neighborhood, on Feb 4, 2013 at 10:11 am

I'm not computer whiz, but it seems like Stanford has been paying lip service to security. Four security breaches in last year or so? And they say now they;re "redoubling" their efforts to get laptops encrypted? Here we are in the high tech world of Silicon Valley, and Stanford can't remotely wipe data off computers? Computers have been stolen from hospital offices, from homes. I hear only now are they locking doctor's office doors at night! Stanford, get with it. I think my daughter's PA school computer has better security and tracking that Stanford.