Safeguards were skipped before computer with patient info was taken.
The theft of a consultant's laptop computer from a car in July may have exposed thousands of Twin Cities patients to the risk of identity theft, hospital officials disclosed Tuesday.
The laptop, containing private information on about 14,000 patients of Fairview Health Services and 2,800 patients at North Memorial Medical Center, was stolen from a locked car in the parking lot of a Minneapolis restaurant.
Officials at Fairview said they believed there were adequate safeguards in place before the data was shared with Chicago-based Accretive Health, and that there was good reason to give Accretive that information.
"The assumption was that the information was safe," said Lois Dahl, Fairview's information privacy director.
But in this case, she said, the safeguards broke down: The data on the computer weren't encrypted.
This is the latest in a string of cases nationwide -- and the second in the Twin Cities this year -- in which medical data has gone missing or been inadvertently splashed across the Internet, breaching the privacy of countless patients while revealing the challenges facing hospitals and clinics in an era of massive electronic medical records.
"Events like these weaken public faith in care providers' ability to keep digital health information confidential,'' said Harley Geiger, a lawyer for Center for Democracy and Technology in Washington, D.C. "It's hard to argue that the issue is taken seriously enough when they keep losing unencrypted mobile devices containing the intimate medical details of thousands of people."
Both Fairview and North Memorial said there's no evidence the information had been misused. But just in case, they're sending letters this week to all the affected patients and offering free services to protect them against identity theft.
"Obviously, we take this event seriously," said Dr. Mark Werner, one of the senior physician leaders at Fairview. "It's deeply regrettable."
The laptop was left in a locked car in a restaurant parking lot and reported stolen July 25.
Hospital officials said they learned of the theft within days but waited until now to start notifying patients because it took time for investigators to identify what was on the computer.
For Fairview patients, the data included names, birth dates and Social Security numbers, as well as some medical information. North Memorial said it included names, medical record numbers and "limited clinical information."
The consulting firm, Accretive Health, was supposed to encrypt the laptop for security purposes but failed to do so, according to officials at Fairview and North Memorial.
The firm declined to answer questions Tuesday, but issued a brief statement saying that "we are working closely with our affected clients."
Fairview officials defended the practice of sharing private patient data with an outside consultant. They said it's unusual for employees or consultants to keep a large amount of patient data on their laptops, but that in this case, it was justified.
Accretive Health was hired, in part, to analyze which individuals may need extra care coordination. That means combing through data on thousands of patients. "In this situation, he had what he needed to do his job," Dahl said.
But Jeff Neuberger, the chief executive officer of Mid Dakota Clinic in Fargo, said he can't imagine allowing a contractor to load patient files onto a laptop computer.
"Someone might need to be fired for this one,'' said Neuberger, who made headlines in North Dakota last week for opting out of an insurance company's directive to share patient records with an Atlanta quality consultant.
When there's a legitimate reason to share patient information, Neuberger said, he would bring the contractor on-site and provide temporary, restricted access to the company's computer system. Nothing leaves on a laptop, he said.
That's a debatable issue among hospitals, said Lawrence Massa, president of the Minnesota Hospital Association. But in any case, he said, Fairview and North Memorial did the right thing by notifying affected individuals and going public with the security lapse.
This is the second time this year that Fairview has reported a potential breach in patient data. In April, it reported that a box containing information on 1,200 patients was lost during an office relocation. The box has never been found and is presumed destroyed.
Dahl said it's unlikely that whoever stole the laptop will be able to get at the patient data, which is password-protected. At the same time, she said that it should not have been left in public view and that Fairview is intensifying its efforts to ensure that workers safeguard sensitive information.
Fairview continues to work with Accretive, but officials would not say whether the individual consultant involved in the case still works there.
Deb Contreras, North Memorial's privacy officer, issued a statement Tuesday saying: "It is unfortunate that one of our vendors failed to meet that expectation. North Memorial is currently evaluating how to further improve our security processes with all our vendors to prevent incidents like this from happening in the future."