Backup data on 365 000 patients stolen from car

About 365,000 hospice and home health care patients in Oregon andWashington are being notified about the theft of computer backupdata disks and tapes late last month that included personalinformation and confidential medical records.

In an announcement Thursday, Providence Home Services, a divisionof Seattle-based Providence Health Systems, said the records andother data were on several disks and tapes stolen from the car of aProvidence employee at his home. The incident was reported by theemployee on Dec. 31, according to the health care system.

The tapes and disks were taken home by the employee as part of abackup protocol that sent them off-site to protect them againstloss from fires or other disasters. That practice, which was onlyused by the home health care division of the hospital system, hassince been stopped, said health system spokesman Gary Walker.

“This was only done in one area of the company,” Walker said. “Itdid not involve the hospital’s database [of patients]….That onepart of the company was sending data home off-site. But we shouldhave reviewed the policy.”

The data on the tapes was encrypted, Walker said. The data on thedisks was in a proprietary file format that was not encrypted, but”is stored in a way that would make it difficult, if notimpossible, for someone to access it, then make any sense out ofit,” he said.

From now on, all data will be made secure using additionaltechnologies, according to Walker. “We are encrypting all thematerial we can encrypt now,” as the health care system reviews allof its procedures and security, he said. “We are sorry that thishappened and we don’t want it to happen again.”

Providence officials said there have been no reports that any ofthe stolen information has been used improperly since the incident.

Providence is notifying affected patients by mail about the theft.The information on the disks and tapes included names, addresses,dates of birth, physicians’ names, insurance data, diagnoses,prescriptions and some lab results. For approximately 250,000 ofthe patients, Social Security numbers were on the records,according to the health system. Some of the records also includedpatient financial information.

Rick Cagen, CEO of Providence’s Portland service area, said newbackup procedures are being implemented using more traditional ITmeans, including secure sites in remote locations for safety andredundancy. “We do have alternate practices now,” Cagen said.

The four-week delay in publicly announcing the theft was needed soProvidence officials could recreate the stolen data and identifythe patients who needed to be contacted, he said. The delay wasalso caused in part by the large number of records that had to beprocessed, he said.

“We realize this is a major inconvenience and cause for realconcern, and we deeply apologize to everyone affected by thisincident,” Cagen said. “Even though we have no indication that thethief has accessed the data, we are doing all we can to help ourpatients and employees protect their information.”

The incident is the second data theft from a motor vehicleannounced this week. On Thursday, Minneapolis-based financialservices company Ameriprise Financial Inc. said it is notifyingsome 158,000 customers and 68,000 financial advisers that a laptopcontaining personal information about them — including names,account numbers or Social Security numbers — was stolen from aparked car late last month.