Medical records and other data may have been compromised for at least 500 patients at Cedars-Sinai Medical Center in Los Angeles, the hospital said Friday, after an employee's laptop computer was stolen.
The laptop's hard drive may have had some combination of patient data, including information about lab testing, treatment and diagnosis, Cedars-Sinai said in a statement. Some files also contained patient Social Security numbers and other personal information.
The hospital said it will mail letters next week to patients already identified as being potentially affected by the data breach. It will also continue to monitor the incident to identify any additional patients affected and notify them. It has also notified all appropriate regulatory agencies, said Sally Stewart, a spokeswoman for the hospital.
The hospital does not yet have a final estimate on how many patients were affected, said Stewart, but it is continuing to review its data to find out.
"Even a potential data security incident on a single computer, as has occurred here, is not acceptable to us," David Blake, chief privacy officer at Cedars-Sinai, said in a statement. "We apologize to the people affected by this incident and have taken actions to prevent any re-occurrence."
The laptop was stolen from an employee's home during a burglary in late June. The theft was immediately reported to local police and the hospital. No arrests have been made and the password-protected laptop has not been recovered, but police and hospital investigations are ongoing, Cedars-Sinai said.
Cedars-Sinai said the laptop did not have additional encryption software required under hospital policies. Stewart said the encryption software was mistakenly not reinstalled after a change to the computer's operating system.
The employee's duties involved troubleshooting software problems outside normal business hours, which is why the computer was in the home, but the hospital said it has terminated remote access to its network from the stolen machine.
In what it calls "an abundance of caution," the hospital is advising potentially affected patients to regularly review statements they receive from health insurance companies and to contact their insurers if they see services listed that they did not receive.
Cedars-Sinai is also recommending that those patients review credit reports and account statements for suspicious activity. Stewart said the hospital will provide free credit monitoring for patients whose Social Security numbers may have been compromised.
Friday's announcement comes days after Tennessee-based Community Health Services Inc., which operates three hospitals in California and is one of the largest hospital groups in the U.S., said hackers stole data for some 4.5 million patients this year. It is one of the largest breaches of its kind in the U.S. since 2009.
Data protection company SafeNet Inc. of Baltimore said in July that the healthcare industry was the subject of nearly a quarter of the 237 data breach incidents worldwide in April to June of this year, more than any other industry.