A laptop computer that might have contained limited medical information on pediatric patients has been stolen from a secure area of Lucile Packard Children’s Hospital, officials announced today.
The laptop was discovered missing from a secured, badge-access-controlled area of the hospital on May 8 and was reported by an employee. The hospital immediately launched an investigation with Stanford Department of Public Safety and hospital security, officials said in a statement. The laptop has not been found.
The computer is thought to contain operating-room schedules during a three-year period beginning in 2009. Hospital officials are not certain which operating schedules were on the computer, but 12,900 potentially affected patients are being notified by mail out of caution, they said.
The information would include patient name, age, medical record number, telephone number, scheduled surgical procedure, and the names of physicians involved in the surgery, officials said.
There is no evidence that any pediatric patient data has been accessed or otherwise compromised, they added. Financial or credit card information, Social Security numbers, insurance numbers or any other marketable information were not on the computer.
The laptop was outdated and damaged, and was on a schedule to have its data removed by information technologists, officials said.
The hospital is taking the breach very seriously, they added.
“Lucile Packard Children’s Hospital strives to be an industry leader in the area of medical information security. As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data to reduce the chance that an incident of this type will happen again,” officials said.
The hospital is offering a year of identity-theft protection at no cost to potentially-affected families who wish to have it and is establishing a call center to answer questions from families. The toll-free number is 855-683-1168, and is open Monday through Saturday from 6 a.m. to 6 p.m. Pacific Standard Time.
Stanford’s concern is shallow and meaningless.
If the hospital wanted to be serious about protecting our information, they would have solved this. It was in January that Stanford supplied another laptop with private information, taken from a car.
What company in Silicon Valley is so stupid to allow its employees to store valuable information on laptops? I have worked for none that were so poorly managed.
This is indeed the second case this year of a laptop stolen from Stanford Hospital ( at least the second one admitted to). Besides being poorly managed, what is wrong with them????
I agree…This is actually the second time. I complained to them about this. Because i got a letter stating this and my child’s information could be leaked. I moved my kids to Palo Alto Medical which I get better service anyways.
JC-really, shallow and meaningless? You have no clue about Stanford computer security. They would have solved this? You think all crimes are easy to solve? Non so poorly managed? How About a prototype IPhone left at a bar. You have no idea how security differs for an institution with thousands of visitors vs a private company with no outsiders.
Remy— maybe you can get together with JC and commiserate on how awful Stanford is
Noname- your loss:
http://www.fortmilltimes.com/2013/06/11/2753004/new-national-survey-ranks-lucile.html
Oh dear me. It looks like I have upset the editor of the #1 newspaper. I do hope that he had his fainting couch near when he read my shocking comments.
It must be hard to be the editor of the #1 newspaper– having to be the tool of the city council, protect neighborhood leaders from criticism, placate advertisers, appeal for donations for a for profit organization. And then you have to deal with posters expressing their opinions and deleting those that upset your sensitive state of mind.
Perhaps being the editor of the #1 newspaper is just becoming too much for you.
Used to live in PA and worked in the area. I think it is appropriate for Stanford to announce this information, as it is policy in most institutions. As a Paramedic I work on a laptop, I input reports that contain address, name, social security, medical history, assessment, treatment, insurance information (as well as other pertinent information).
All of our computers work off a cloud cad system, without wireless connection through the modem in one of our fleet vehicles, you cannot access the accounts. On top of that, you can only access your account and cases that are less then one week old. We have three passwords you have to get through, and then a password system to enter the cloud cad.
My point, is that these computers are not merely turn on and go to my documents and click on a word file. These computers by law in many instances, as well as by fear of legal action, are put together with the best security the private sector has to offer.
Working on a mobile device is normal in 2013, and those in the bay area/silicon valley should not shun the mobile device. The bigger issue is why this keeps happening, and that is going to take old fashion detective work and a human presence.
While anything is possible, let it be known that the chances of any information being taken off that computer and abused is probably slim to none.
If Stanford is not using a cloud based cad, with built in security, that is an issue in itself.
The information offered by “First Responder” is interesting, but fails to recognize that data is data–and can be stored on any computer and in any format. With Stanford’s being a teaching hospital, there is every reason to believe that doctors/researchers/medical students would be using historical, and current, medical records for “research”.
“Security” is a poorly understood area of computing. Keeping a patient contact information in an encrypted format would be a start, but this procedure creates real problems for people wanting to use the data. Keeping encrypted data on “the cloud” is another step forward, but this requires having an active Internet connection to be able to use the data. For people who want to go fishing, and do work in the evening, not having access to their data might be the problem.
Another approach would be to strip out all of the contact information for data given to researchers. Having a “patient ID” would be sufficient for those cases where a Researcher/Doctor might need to contact a patient for further consultation.
There isn’t anything suggested here that is difficult to do. It’s clear that Stanford, and those who work with patient data, don’t seem particularly interested in fully protecting the data that has been entrusted to them.
As an employee at Stanford, I can tell you that the university took the first incident very seriously: they mandated encryption and backup software for all hospital owned computers and all personal computers connecting to the network or that may contain sensitive data.
They also mandated encryption software for all personal devices including iphones and laptops that even access hospital email. They were also kind enough to offer nearly free macbook pro and air’s to all employees working with sensitive data whose computer was not up to encryption standards.
This incident must have occurred on a computer that was slated for destruction. While Stanford is behind the times with regard to a lot of technology, this is not one of those cases.
> While Stanford is behind the times with regard to a lot of
> technology, this is not one of those cases
And yet, the incidents keep happening.
My child’s highly private medical information was compromised in the left of the first laptop. I can’t believe this has happened AGAIN. They are not taking enough precautionary steps to ensure that patient privacy is being protected. This is outrageous! The letter we received by Stanford when my child’s medical information was released out into the public wasn’t even sincere. I feel like they don’t really care at all.
Anon–you should become familiar with the incidents before you start.
The initial theft was of a laptop that was taken home by a doctor. This doctor told the university there was no patient data on the laptop but there was!!! He was subsequently dealt with.
The second theft happened on hospital property (and Wayne if you have a solution to stop thefts, please let us know).
The university has taken numerous steps to deal with this matter as James Smith outlined above
Please post the letter you got from Stanford, anon, since I find it hard to believe stanford was not “sincere” and “did not seem to care”.
This is not only the second laptop stolen this year, this is one of many security breaches.
My child who had surgery in 2007 had his information compromised. We received a letter informing us that Stanford had subcontracted data management to a company who in turn subcontracted to another company, and then that third company had someone (we were never informed who) place all the patient information on a public website. Sounds crazy to me now as it did then. We received a letter from Stanford Hospital indicating that they would pay for an identity theft alert service for our son and were doing everything they could to prevent such loss of information in the future.
Since their inability to properly manage data has been on their radar for at least 6 years now, it sounds to me like they really are either 1. not taking this seriously enough, or 2. do not know how to tackle this problem appropriately and desperately need outside help.
These two laptops were not the only recent lapses in security. Don’t forget that not so long ago, Stanford’s casual treatment of data allowed a website to publish names, diagnosis codes, and dates for patients in their emergency room.
There are many ways to solve problems — and posters here have named a few — but encryption and passwords only mask the underlying problem. A serious solution would keep personally-identifiable information hidden securely from everyone except those treating a patient. Procedures like those are work, constant vigilance, a different way of thinking, possible inconvenience.
Stanford’s decisions so far have placed their own convenience over protecting patients. Giving access to patient personal information for someone on a fishing trip is a misplaced balance that can be justified only when an organization has abandoned protection.
There have actually been five our six serious breaches in the last six years. Each time Stanford says that they are taking it serious, but then they don’t put the resources behind it. They missed there own encryption deadlines last fall, Why? Employees were on wait lists to get laptops encrypted. Why didn’t they have enough manpower to encrypt the THOUSANDS of laptops that they provide. THey need to stop blaming it on the employees, and put blame where it belongs: who is heading up IT and security? THe President? The Provost? Heads should be rolling at at the very highest levels. WHy isn’t the university providing the funds necessary to ensure that every computer is checked for encryption?
The Stanford Hospital administration org chart lists:
Amir Dan Rubin President and Chief Executive Officer
Diane Meyer Chief Compliance and Privacy Officer
It appears the primary duty of Diane Meyer is to “sincerely apologize for the concern this has caused our patients.”
Here is my comment – which I am sure you will all ignore.
Human nature being what it is, we really can’t have portable electronic devices with information needing privacy on them. Period.
Stanford has done everything humanly possible, or if not that, close to that, to address this issue, to handle it as it needs to be handled.
But the result is a world full of paranoia and fear – and resentment that computers have to be encrypted (because that “wrecks” them for other purposes).
With a world like this, you will get individuals who will sabotage. Period.
Do not blame Stanford – blame yourselves for buying into the whole thing of portable electronic devices and electronic med records. You’ll see what the real consequence is when young people avoid going into medicine as a result.
This is one of numerous data breaches at Stanford and Lucile Packard within the past three years. The press releases and letters are the same they apologize and promise to fix it yet it keeps happening. It’s not the staff it is the Compliance and Privacy Department. What have they done in the past few years to reduce these instances? Clearly nothing since this is the probably the 8th incident. We all know that in our workplaces the department head would be fired. In the world we live in we know things are going to get stolen that’s why every piece of technology should be encrypted. I bet if they did a review at Stanford they would still find a lot of computers lacking encryption. The physicians and researchers are allowed to bring their own devices and hook them up to the system. There aren’t any controls over where data is stored and how.
You’re being very unfair. No physician or researcher can hook up computers to “the system” that way.
Shame on Stanford, you’re also being very unfair.
By the way, how much do you guys think it costs to have hordes of IT professionals encrypting and deencrypting to reencrypt with a better system thousands of computers?
You weren’t paying enough for medical care already?
businessdecision, your remark will not go ignored, but it stands incorrect.
Stanford sits in the middle of a community that is a world technological capitol, with too many professionals who know that Stanford has not done “everything humanly possible”. By the results, we know that they have done very little.
Even within the lax security of healthcare IT, Stanford is notorious for HIPAA breaches. Compared to practices in place in high-tech firms, Stanford’s security is an embarrassment. I agree with other posters: the person in charge of Privacy would have lost their job at any nearby firm.
When technology firms want to protect data now, they do it now. I have seen enormous companies encrypt thousands of laptops in a day. Not encrypted? You cannot connect.
Encryption is only a first and very small step.
If you want to protect data, it never sits on another machine, it can only be viewed there. In order to connect a machine to the network, it must have special intrusive software installed that not only gives permission to connect but can allow administrators to detect violations of security.
A competent Privacy Officer would know and implement these steps and the dozens that follow.
Physicians and researchers cannot hook up computers? Silicon Valley firms hire thousands of non-engineering employees who have been very successful at connecting to systems just like these in order to get their work done: sales, financial, legal, HR, administrative assistants. If Stanford’s current physicians and researchers think it unfair to protect patient data, Stanford needs new employees.
Everything humanly possible? No, they have not even begun.
well, unbelievable. Could it possibly be true? If so, why would Stanford…?
@Knowledgeable: ur dead on. not enuf priority or budget for IT? / security? Would hate to be either of those guys, or the PR guy. “As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data to reduce the chance that an incident of this type will happen again.” policies and controls? how abou tencrypt, wipe clean..
Please note that Stanford University, Stanford University Medical Center and Lucile Packard Children’s Hospital at Stanford are SEPARATE organizations, although related. They have their own boards, their own management, their own HR departments, their own benefits departments and, most importantly their own separate IT departments. This is about LPCH and it should not be confused with other organization.
That’s not right, Richard. Check for yourself. The main hospital and the children’s hospital have the same Privacy officer, the woman who is supposed to have solved these problems sometime in the previous six leaks of private information.
Six privacy breaches may be an exaggeration. Stanford has reported only five. But then, they did get fined because they failed to report a breach, so who knows.