- UT Physicians, The University of Texas Health Science Center at Houston (UTHealth) Medical School’s medical group practice, posted a notice on Wednesday notifying patients of an Aug. 2 data breach.
The organization learned that an unencrypted laptop (attached to an electromyography machine) with patient data had been stolen on Aug. 2 from a locked closet inside an orthopedic clinic. Though the laptop contained names, birth dates and medical record numbers, it did not have any addresses, Social Security numbers, insurance or other financial information. The data included hand and arm image data from Feb. 2010 to July 13. The laptop was last seen on July 19 and has yet to be found. The organization offered up the boilerplate “we do not have a reason to believe any data has been compromised” response and added that the laptop was password protected and it thought all devices had been encrypted:
UT Physicians does not have any reason to believe that the information has been accessed or used by any unauthorized individual, but as a precaution began mailing letters today to 596 patients whose information was stored on the laptop. UT Physicians is committed to patient privacy and deeply regrets that this incident occurred. Encryption of all laptops has been the policy at UT Physicians and UTHealth for the last two years. To date, all known laptops – more than 5,000 – have been encrypted. The medical group and UTHealth have taken steps to ensure that the missing laptop in the orthopedic clinic is an isolated incident.
Additionally, UT Physicians and UTHealth officials said they will continue to work with law enforcement in their investigation. In the notification, officials said they have done a physical search of all clinics and offices to ensure that there are no other unencrypted laptops or storage devices attached to medical equipment. The organization listed a few ways it plans on avoiding these types of breaches in the future, including being more involved with medical equipment and hardware purchases. It also plans on reviewing current processes and encryption practices to prevent unencrypted devices from being stolen in the future.