- The Cedars-Sinai Medical Center in Los Angeles announced an unencrypted laptop theft that compromised at least more than 500 patients’ data in August, but actual number of affected patients was unknown. The Los Angeles Times recently reported that the damage was worse than many realized, as the breach impacted more than 33,000 patients.
The update is significant in that it changes the scope of a breach that may have included protected health information (PHI) such as medical record numbers, patient identification numbers, lab testing information, treatment information and diagnostic information, and some patient Social Security numbers.
Cedars-Sinai sent out patient data breach notification letters on August 22 and told affected patients that it was currently investigating the incident.
Cedars-Sinai retained independent experts in computer forensics to manually and electronically review the files that may have been on the laptop at the time of the theft and to identify any Cedars-Sinai patients whose information may have been stored on the stolen device. This investigation is ongoing.
The loss of an unencrypted laptop with more than 33,000 patients’ data on it is cause for alarm among some privacy experts. “Medical information is among the most sensitive there is. There is simply no excuse to allow the data to be stored unencrypted on an employee’s laptop,” said Marc Rotenberg, president of the Electronic Privacy Information Center in Washington, D.C., told the Times.
CMS letter calls out Vermont Health Connect security issues
In addition to dealing with its own health insurance exchange data security issues, the Centers for Medicare and Medicaid Services (CMS) is dealing with exchange security risks at the state level.
The Vermont Health Connect was taken offline on September 15 to improve functionality and to boost data security in September, but a CMS letter from June offers insight into the significance of the security risks. According to vtdigger.org, CMS threatened Vermont officials months ago the site would be taken down if the “significant number” of security issues that could “present risk to the security of the [federal] Hub” weren’t taken care of.
After originally giving the Vermont Health Connect until September 8 to remediate the issues, it apparently received an extension to November 3 because of a vendor change from CGI, its previous contractor, to Optum. CMS seemed to agree with Vermont Health Connect that vendor transition is “inherently disruptive” and this change was reason enough to delay the deadline and make sure that security really had been enhanced.
“(The security breach) definitely raised their anxiety level,” Lawrence Miller, CMS chief of health care reform said. “They shared their perspective on the changed threat environment, and that changed our perspective.”