2,207 individuals, who participated in a newborn screening program, are being notified their personal information may have been stolen.
Laptop – password protected Windows user name, NOT encrypted.
Stored in a locked, private room (an office?)
Data – Includes: patient and mother’s names, medical record numbers, date of birth, diagnosis, plus social security number for some.
The exact date stolen is not known, but between June 18 & June 21.
The university says there is no indication any of the data has been accessed.
Really, the only way they would know is when patients start reporting to UK cased of identity theft.
Practically speaking, one would suspect the laptop was stolen for the hardware.
BUT we can’t presume this.
How did somebody know it was in this “locked private room”?
What should they have done?
- Not put this data on a laptop
- IF you must put PHI on a laptop, encrypt the laptop
Additionally, your office better have a computer encryption policy spelling out when a computer hard drive should be encrypted.
Why encrypt? They had a windows password.
The windows password can be bypassed in less than 5 minutes.
Encryption renders the data on the hard drive useless.