In the first data breach announcement of 2007, Georgia-based Emory Healthcare reports that a computer containing information on 38,000 of its patients was stolen from the offices of an Ohio company contracted to provide services for Emory.
The company said the theft took place on Nov. 23rd, but letters informing patients of the theft were not mailed out until Dec. 20th.
The missing laptop contained information on patients who had been treated for cancer at Emory Hospital, Emory Crawford Long Hospital, and Grady Memorial Hospital. The data included names, addresses, and Social Security numbers.
Hospitals in other states were affected as well, including Geisinger Health System in Pennsylvania, and Williamson Medical Center near Nashville, Tennessee. The laptop contained data on 25,000 Geisinger patients.
The contracting company, Electronic Registry Systems (ERS), was managing the collection of data on cancer patients under regulations governed by the Health Insurance Portability and Accountability Act (HIPAA).
Ohio police, ERS, and Emory Healthcare all rushed to claim that the theft was random and the data on the laptop was secure. Emory officials said that the data was "double-password protected" and that the laptop had "multiple layers of security."
Springdale, Ohio police lieutenant Mike Mathis told the Atlanta Journal-Constitution that he saw no evidence that identity theft was a motive for the crime.
However, the thieves were apparently quite determined. They broke into a third-story window and then broke down the doors of several offices, making off with the missing laptop and another computer as well.
Black Market for Medical Records
The theft of patients' medical records is a growing concern, particularly as these records can be used to engage in "medical identity theft."
Criminals can use stolen medical data to create new identities for themselves, mixing and matching names and Social Security numbers in order to escape fraud detection.
Thieves can use these new identities not only to obtain credit and loans, but to get expensive medical procedures that they might not have otherwise been able to afford, running up thousands in debt in the process.
Loopholes in HIPAA and state medical privacy laws can make it extraordinarily difficult to correct errors in medical billing records.
Patients who have been hit with medical identity theft can find their insurance premiums skyrocketing, and can face large medical bills for procedures they never had.
Disgruntled workers at companies that are supporting medical providers can easily help criminals get access to medical records, or wreak havoc on internal systems that could end up erasing or destroying patients' data.