On February 19, a laptop belonging to a physician affiliated with the Massachusetts Eye and Ear Infirmary was stolen while the physician was lecturing in South Korea. The laptop belonged to Robert Levine, MD, a neurologist with a particular focus on ringing in the ears, or tinnitus.
To date, Mass Eye and Ear has determined that data owned by Mass Eye and Ear on Levine’s laptop contained demographic and health information of approximately 3,526 patients treated by Levine at Mass Eye and Ear between February 3, 1988, and February 16, 2010, and of a small number of participants in research conducted by Levine at Mass Eye and Ear who were not also Levine’s patients, as follows:
•67 participants in somatic tinnitus modulation research, and
•One participant in pulsatile tinnitus research.
Levine reported the theft to police in South Korea. In addition, as required by law, Mass Eye and Ear is reporting the loss of its patient and research participant information to the individuals affected and to the appropriate state and federal authorities.
The following types of information about affected individuals associated with Mass. Eye and Ear may have been present on Levine’s laptop:
•Name;
•Address;
•Telephone numbers;
•E-mail;
•Date of birth and age;
•Sex;
•Medical record numbers;
•Dates of service;
•Medical information, including diagnoses, symptoms, test results, and prescriptions;
•Name and contact information for patient pharmacies; and
•Research participant status.
In addition, four individuals’ information also included their pharmacy insurance account number.
To the best of Mass Eye and Ear’s knowledge, Social Security numbers, financial account numbers, and credit or debit card numbers of individuals associated with Mass Eye and Ear were not present on the laptop.
Mass Eye and Ear is sending letters to affected individuals at their last known address. The hospital has posted a notice on its Web site in the event that the contact information for affected individuals is out of date and to provide notice to individuals for whom Mass Eye and Ear has no contact information.
Individuals who fit into one of the categories above and who do not receive a letter directly from Mass Eye and Ear, may contact the Mass. Eye and Ear Breach Response Center at 877-313-1395 to determine if they are affected.
Mass Eye and Ear has no indication that the information on the stolen computer has actually been accessed or inappropriately used. The computer was password protected and contained a tracking device commonly referred to as “LoJack.” The tracking device contacted LoJack on March 9 when the stolen computer was connected to the Internet in South Korea. LoJack was able to monitor the computer’s configuration and online use, and determined that:
•A new operating system was installed on the computer following the theft; and
•Software needed to access most of the information about affected Mass Eye and Ear individuals had not been reinstalled.
On April 9 it was determined that it was unlikely that continued monitoring of the computer would lead to its retrieval, and a command was sent by LoJack to the computer permanently disabling the hard drive and rendering any information, including information about affected Mass Eye and Ear individuals contained on the hard drive, permanently unreadable.
Despite the result of the tracking and destruction noted above, Mass Eye and Ear is unable to know whether the information about affected Mass Eye and Ear individuals on the computer was accessed between the date of the theft and March 9.
Should information have been inappropriately accessed, Mass Eye and Ear does not believe that the information on the laptop regarding the affected Mass Eye and Ear individuals presents a risk of financial identity theft. It is possible, however, that someone may be able to learn about affected Mass Eye and Ear individuals’ medical care from the stolen data, and affected individuals may have a risk that someone may attempt to use that information to impersonate them in order to obtain medical care or medications in their name.
In order to protect affected individuals, Mass Eye and Ear is providing information on precautions that they can take to protect themselves against medical identity theft and has arranged to provide them with one free year of credit monitoring, identity theft insurance, and restoration services.
In order to prevent similar breaches from occurring in the future, Mass. Eye and Ear is updating its information security program, including, but not limited to, taking the following specific actions:
•Deploying encryption to laptop computers that connect to Mass. Eye and Ear’s computer network; and
•Providing education to Mass Eye and Ear staff regarding limiting the amount of data stored on laptop computers.
Source: Massachusetts Eye and Ear Infirmary