By Linda Rosencrance
August 28, 2006
A health care group in Michigan disclosed last Tuesday that a laptop PC
containing personal information on about 28,000 home-care patients had
been stolen in a car theft. But the company said Thursday that it had
recovered the laptop and determined that the thieves hadn't accessed the
The data on the Dell laptop was encrypted and password-protected,
according to a statement from William Beaumont Hospital in Royal Oak.
But the car theft, which occurred Aug. 5 in Detroit, caused particular
concern among hospital officials, because the affected employee's ID
access code and password were written on a piece of paper that was taped
to the inside of the stolen PC.
The employee, a nurse who has since been fired, was a new worker and was
still completing orientation procedures, the hospital said when it
disclosed the theft. It noted that Detroit police had recovered the
nurse's car without the laptop.
However, Beaumont later said that the laptop had been found after a
resident of the area from which the vehicle was stolen called a hospital
official and said the thief had dropped the computer while being chased
on foot by someone from the neighborhood.
The system's hard drive was examined by an independent computer
forensics expert, who informed Beaumont that the patient data hadn't
been accessed since the theft took place.
The data included the names, addresses, birth dates, medical insurance
information, Social Security numbers and some personal health records of
patients who had received home-care treatment from Beaumont over the
past three years. The theft of the computer wasn't related to any
knowledge of its data contents, the company said, adding that the system
was in a bag in the back seat of the stolen car.
Beaumont operates hospitals in Royal Oak and Troy, Mich., plus medical
clinics, other facilities and the home-care service. Chris Hengstebeck,
director of security at the hospital in Troy, said in a statement that
Beaumont officials "are so relieved to recover the laptop so that we can
put our patients' minds at rest. And we are relieved that no one's
personal or medical information was accessed."
Nonetheless, the company has taken a series of internal and external
actions in response to the theft. For example, Hengstebeck said in an
interview that the Beaumont Home Care employees directly involved in the
incident no longer work for the company. That includes the nurse and her
direct managers, he said.
Beaumont also said that its IT department has reviewed and strengthened
computer security systems and processes. In addition, IT staffers have
inspected all the laptops used by home-care workers and are reinforcing
security and password procedures with employees companywide.
Beaumont sent a letter to all of its home-care patients to notify them
about the missing laptop, and it has set up a toll-free hot line and a
Web site to provide information. The company also will provide a year's
worth of credit-reporting services to Beaumont Home Care patients
through Trans Union LLC. That offer remains in place despite the
recovery of the laptop, "out of consideration for the stress and concern
caused patients by the theft," Beaumont said.
The company is paying a $2,500 reward to the Detroit resident who made
the phone call.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/