A data breach this summer involving Cedars-Sinai Medical Center patient records was much worse than previously disclosed.
The Los Angeles hospital has notified state and federal officials that medical records of more than 33,000 patients were on a laptop stolen from an employee’s home during a June burglary.
It was among the latest in a string of hospital data breaches across the nation that have prompted calls for better security for medical records.
“Medical information is among the most sensitive there is. There is simply no excuse to allow the data to be stored unencrypted on an employee’s laptop,” said Marc Rotenberg, president of the Electronic Privacy Information Center in Washington, D.C.
Cedars-Sinai had said in August that the laptop contained the records of at least 500 patients. After consulting a data forensics firm, the hospital increased the number of patients affected to 33,136.
The laptop was password-protected, but did not have additional encryption software that would have further protected the sensitive data. The software was mistakenly not reinstalled after a change to the computer’s operating system, the hospital said.
Cedars-Sinai sent letters to patients whose records were contained in the laptop, informing them of the breach.
“Cedars-Sinai takes the security of our patients’ health information very seriously and has multiple security safeguards in place,” the hospital said in the letter to patients. “Even a potential data security incident on a single computer, as occurred here, is not acceptable to us.
“We deeply apologize for this incident and have taken actions to prevent any reoccurrence.”
The employee worked on software related to clinical laboratory reports and needed access to them outside normal business hours, Cedars-Sinai said.
The records on the laptop’s hard drive included patient names, medical data, health insurance policies, dates of birth and driver’s license numbers. The Social Security numbers of about 1,500 patients were contained in the files, the hospital said.
Hospital staff are in the process of confirming that all employee laptops are properly encrypted, Cedars Sinai said in a statement to The Times.
Patient records have been stolen or mistakenly released at medical facilities across the United States in recent years.
In March, Los Angeles County disclosed that the records of more than 160,000 patients were contained on computers stolen from a county contractor. The county later increased that figure to more than 330,000, according to a list of data breaches compiled by the U.S. Department of Health and Human Services.
In May, New York Presbyterian Hospital and Columbia University agreed to pay a $4.8-million fine after the health records of more than 6,000 people were mistakenly released on the Internet in violation of the Health Insurance Portability and Accountability Act.
In 2012, Blue Cross Blue Shield of Tennessee agreed to pay a $1.5-million fine after disclosing that health records of more than 1 million people were contained on 57 unencrypted computer hard drives stolen from a storage facility.
Given that background, it is inexcusable for hospitals to have employees walking around with patient records that are not properly protected, said Beth Givens, executive director of the Privacy Rights Clearinghouse.
“Encryption these days is security 101,” she said. “You’re going to spend a lot more money these days recovering from a breach than if you had simply spent the money securing your devices from the very start.”
Medical records are the among the most valuable on the black market because they can be used to submit fraudulent health insurance claims as well as for bank and credit card fraud, especially if Social Security numbers are stolen, Givens said.
No arrests have been made in the burglary of the Cedars-Sinai employee’s home, and the laptop has not been recovered, the hospital said.
Cedars-Sinai said it has no indication that the stolen laptop was used to access the medical records. After the theft, the hospital blocked the laptop’s access to its computer network.
“We believe that the laptop was stolen as a piece of personal property, not for any information it contained,” the hospital said.