On August 27, 2013, we received a report that an SSM Health Care laptop was stolen from an employee’s car during a break-in.
We are sincerely sorry this happened and want to provide pertinent information concerning the occurrence along with the steps we are taking to minimize any potential impact.
We have identified 629 patients who may have been affected. We are notifying each of the patients or their guardians by letters mailed September 30, 2013. Care was received at St. Mary’s Janesville Hospital in the emergency department between January 1 and August 26, 2013.
Upon our own thorough investigation and our attempts to identify the affected patients, we determined that the information on the laptop included some protected health information relating to medical visits. The information may have included patient name, date of birth, medical record and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results, vaccines, if administered, and medications. The laptop did not contain any Social Security numbers, addresses, credit card numbers, or financial information of any kind.
We have no reason to believe the laptop was stolen to gain access to patient information or that this information has been accessed or misused in any way. In fact, the computer was configured in such a way that information could not be written to the hard drive. Email information, however, was stored on the hard drive and password protected but not encrypted, which was in violation of St. Mary’s Janesville Hospital policy.
We take our responsibility to protect patient information very seriously. St. Mary’s Janesville Hospital is undertaking comprehensive reviews of this breach of policy and is instituting an information and re-education initiative to ensure that all employees and providers protect patient information at all times. We have inspected all laptops to ensure they all have encryption software. We will actively be monitoring consistency of laptop encryption and conducting monthly audits to ensure compliance with our encryption policies.
Additionally, we have partnered with ID Experts, a leader in identity protection services with extensive experience in this field, for patient identity monitoring and protection at our expense. Through ID Experts, we have arranged for affected patients to opt for a one-year identity theft monitoring and protection at our expense.
The notifications to patients, the federal Department of Health and Human Services, and the general public through a news release and posting on the hospital’s website are being made pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 and revised January 2013.