Here is a list of 10 hospitals and health systems that reported significant data breaches over the last year.
1. Geisinger Health System (Danville, Pa.). The personal health information of approximately 3,000 Geisinger patients was disclosed in an unauthorized manner in early November. On Nov. 3, a former Geisinger Wyoming Valley Medical Center gastroenterologist transferred the personal health information data from his Geisinger computer to his home email account in an unencrypted email. The physician sent the data to his home computer to complete an analysis of his procedures. The disclosed information included patient names, Geisinger medical record numbers, types of procedures, indications and the physician's brief impressions regarding the care provided. The information did not include addresses, telephone numbers, social security numbers, patient account information or any other financially information that would make patient vulnerable to financial identity theft.
2. Dean and St. Mary's Hospital (Madison, Wis.). A laptop containing information on more than 3,000 patients of Dean and St. Mary's Hospital was stolen from a Dean Clinic physician during a home invasion robbery in November. The facility identified 3,288 patients who may have been affected and is notifying each patient or their guardians by letter. Through an internal investigation, the clinic learned the laptop contained limited amounts of information, including names, dates of birth, medical record numbers, diagnoses, procedures and possibly pathology data. The laptop did not contain Social Security numbers, credit card information, home addresses, phone numbers or any other financial information. The clinic also stated there was no reason to believe the laptop was stolen to gain access to patient information or that the information would be misused.
3. Mountain Vista Medical Center (Mesa, Ariz.). On Dec. 15, Mountain Vista Medical Center reported that it had not yet found the records of 2,284 endoscopy patients that have been reported missing since Oct. 13. The information is on compact memory data cards and listed procedures from Jan. 2008 to Oct. 2010. It includes patients' full name, date of birth, age, sex, hospital medical record number, physician's last name, and information and images from the endoscopy procedures. No credit card information, social security identification or telephone numbers were included. The hospital has no evidence that information involved in the incident has been accessed or improperly used. All affected patients have been contacted, and they were offered one year of credit monitoring service by the hospital.
4. University of Tennessee Medical Center (Knoxville, Tenn.). Officials from the University of Tennessee Medical Center notified approximately 8,000 patients in November that the facility did not properly dispose of hospital reports containing private information, posing potential risk of a privacy data breach. In early October, the hospital was notified that records containing private patient information were disposed without proper shredding and were instead discarded in the hospital's waste stream. UT Medical Center officials said there was no reason to believe any patient information was disclosed, used or accessed inappropriately, and patient-related information likely became unreadable during the hospital's waste management process post-disposal. The hospital corrected the disposal process and is taking extra measures to ensure the proper disposal of patient information, including retraining of employees and sanctions against involved hospital staff members.
5. Kern Medical Center (Bakersfield, Calif.). Kern Medical Center was fined $250,000 in November over the theft of 596 patients' medical records. Kern's penalty came alongside financial penalties for five other California hospitals and one nursing home after the California Department of Public Health determined the healthcare facilities failed to prevent unauthorized access to confidential patient medical information. Kern's fine was the largest of the six hospitals and included an extra $60,000 fine over unauthorized access and disclosure of one patient's medical information by two employees on three occasions. The California facilities were required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents.
6. New York-Presbyterian Hospital (New York City). Thousands of patients' information was leaked online after a staff member at New York City-based New York-Presbyterian Hospital accidentally placed bits of the information on an unsecured computer server in July. Personal medical records and data — including names, ages, blood pressure, heart rates and other personal information — of approximately 6,800 patients were accessible through online search engines. The accidental leak happened in July, and hospital officials started contacting the affected patients in late September.
7. Thomas Jefferson University Hospital (Philadelphia). A computer containing health and personal information on 21,000 patients was taken from an office at Thomas Jefferson University Hospital in Philadelphia in July. The hospital notified the affected patients in a letter from hospital President Thomas J. Lewis, who offered identity theft monitoring and protection. Mr. Lewis said the hospital would do all it could to protect the patients whose information, including Social Security numbers, had been exposed and take steps to prevent similar incidents in the future.
8. Griffin Hospital (Derby, Conn.). A radiologist was connected with the breach of medical information for 957 patients at Griffin Hospital in March. The radiologist, whose position at the hospital ended on Feb. 3, worked for a contracted group for the hospital. From Feb. 4-March 5, he accessed information, not including Social Security numbers or financial data, through the hospital's Digital Picture Archiving and Communication System using passwords of other employees without their knowledge, according to the report. The physician downloaded medical imaging information, including x-rays, for 339 Griffin patients, some of whom were contacted by a physician offering his services at another hospital. It was not indicated if the radiologist was fired or left Griffin for another reason. The hospital notified the Connecticut Attorney General's office and the U.S. Secretary of the Department of Health and Human Services of the breach.
9. South Shore Hospital (Weymouth, Mass.). Back-up computer files containing personal, health and financial information on around 800,000 South Shore Hospital patients over the last 14 years were lost during a shipment to a data management company in July. The files from South Shore Hospital in Weymouth, Mass., went missing after they were shipped to a data management company hired to destroy the electronic documents, according to the report. The lost data, filed between Jan. 1, 1996 and Jan. 6, 2010, included full names, addresses, phone numbers, dates of birth, Social Security and driver's license numbers and confidential medical records. A small number of files may have also included credit card information and bank account data.
10. Johns Hopkins Hospital (Baltimore). A 25-year-old employee at Johns Hopkins Hospital in Baltimore allegedly stole names, social security numbers and address from patients, giving the information to friends to buy more than $600,000 in merchandise. The U.S. Attorney's Office indictment said the employee stole the information between Aug. 2007 and March 2009. The employee had access to personal information from patients and their guardians but court papers did not say precisely where in the hospital she worked. The defendants, which include the employee and four other individuals ranging in age from 22 to 54 who received the information from the employee, face a maximum sentence of 30 years in prison for conspiracy to commit bank fraud and two years in prison consecutive to any other sentence for aggravated identity theft.
Read more on data breaches:
-Fraud Solutions Company Forecasts Top Security Issues for 2011
-Crisis Communication During a Data Breach: 5 Best Practices
-Laptop Theft: #1 Cause of Health Data Breaches
1. Geisinger Health System (Danville, Pa.). The personal health information of approximately 3,000 Geisinger patients was disclosed in an unauthorized manner in early November. On Nov. 3, a former Geisinger Wyoming Valley Medical Center gastroenterologist transferred the personal health information data from his Geisinger computer to his home email account in an unencrypted email. The physician sent the data to his home computer to complete an analysis of his procedures. The disclosed information included patient names, Geisinger medical record numbers, types of procedures, indications and the physician's brief impressions regarding the care provided. The information did not include addresses, telephone numbers, social security numbers, patient account information or any other financially information that would make patient vulnerable to financial identity theft.
2. Dean and St. Mary's Hospital (Madison, Wis.). A laptop containing information on more than 3,000 patients of Dean and St. Mary's Hospital was stolen from a Dean Clinic physician during a home invasion robbery in November. The facility identified 3,288 patients who may have been affected and is notifying each patient or their guardians by letter. Through an internal investigation, the clinic learned the laptop contained limited amounts of information, including names, dates of birth, medical record numbers, diagnoses, procedures and possibly pathology data. The laptop did not contain Social Security numbers, credit card information, home addresses, phone numbers or any other financial information. The clinic also stated there was no reason to believe the laptop was stolen to gain access to patient information or that the information would be misused.
3. Mountain Vista Medical Center (Mesa, Ariz.). On Dec. 15, Mountain Vista Medical Center reported that it had not yet found the records of 2,284 endoscopy patients that have been reported missing since Oct. 13. The information is on compact memory data cards and listed procedures from Jan. 2008 to Oct. 2010. It includes patients' full name, date of birth, age, sex, hospital medical record number, physician's last name, and information and images from the endoscopy procedures. No credit card information, social security identification or telephone numbers were included. The hospital has no evidence that information involved in the incident has been accessed or improperly used. All affected patients have been contacted, and they were offered one year of credit monitoring service by the hospital.
4. University of Tennessee Medical Center (Knoxville, Tenn.). Officials from the University of Tennessee Medical Center notified approximately 8,000 patients in November that the facility did not properly dispose of hospital reports containing private information, posing potential risk of a privacy data breach. In early October, the hospital was notified that records containing private patient information were disposed without proper shredding and were instead discarded in the hospital's waste stream. UT Medical Center officials said there was no reason to believe any patient information was disclosed, used or accessed inappropriately, and patient-related information likely became unreadable during the hospital's waste management process post-disposal. The hospital corrected the disposal process and is taking extra measures to ensure the proper disposal of patient information, including retraining of employees and sanctions against involved hospital staff members.
5. Kern Medical Center (Bakersfield, Calif.). Kern Medical Center was fined $250,000 in November over the theft of 596 patients' medical records. Kern's penalty came alongside financial penalties for five other California hospitals and one nursing home after the California Department of Public Health determined the healthcare facilities failed to prevent unauthorized access to confidential patient medical information. Kern's fine was the largest of the six hospitals and included an extra $60,000 fine over unauthorized access and disclosure of one patient's medical information by two employees on three occasions. The California facilities were required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents.
6. New York-Presbyterian Hospital (New York City). Thousands of patients' information was leaked online after a staff member at New York City-based New York-Presbyterian Hospital accidentally placed bits of the information on an unsecured computer server in July. Personal medical records and data — including names, ages, blood pressure, heart rates and other personal information — of approximately 6,800 patients were accessible through online search engines. The accidental leak happened in July, and hospital officials started contacting the affected patients in late September.
7. Thomas Jefferson University Hospital (Philadelphia). A computer containing health and personal information on 21,000 patients was taken from an office at Thomas Jefferson University Hospital in Philadelphia in July. The hospital notified the affected patients in a letter from hospital President Thomas J. Lewis, who offered identity theft monitoring and protection. Mr. Lewis said the hospital would do all it could to protect the patients whose information, including Social Security numbers, had been exposed and take steps to prevent similar incidents in the future.
8. Griffin Hospital (Derby, Conn.). A radiologist was connected with the breach of medical information for 957 patients at Griffin Hospital in March. The radiologist, whose position at the hospital ended on Feb. 3, worked for a contracted group for the hospital. From Feb. 4-March 5, he accessed information, not including Social Security numbers or financial data, through the hospital's Digital Picture Archiving and Communication System using passwords of other employees without their knowledge, according to the report. The physician downloaded medical imaging information, including x-rays, for 339 Griffin patients, some of whom were contacted by a physician offering his services at another hospital. It was not indicated if the radiologist was fired or left Griffin for another reason. The hospital notified the Connecticut Attorney General's office and the U.S. Secretary of the Department of Health and Human Services of the breach.
9. South Shore Hospital (Weymouth, Mass.). Back-up computer files containing personal, health and financial information on around 800,000 South Shore Hospital patients over the last 14 years were lost during a shipment to a data management company in July. The files from South Shore Hospital in Weymouth, Mass., went missing after they were shipped to a data management company hired to destroy the electronic documents, according to the report. The lost data, filed between Jan. 1, 1996 and Jan. 6, 2010, included full names, addresses, phone numbers, dates of birth, Social Security and driver's license numbers and confidential medical records. A small number of files may have also included credit card information and bank account data.
10. Johns Hopkins Hospital (Baltimore). A 25-year-old employee at Johns Hopkins Hospital in Baltimore allegedly stole names, social security numbers and address from patients, giving the information to friends to buy more than $600,000 in merchandise. The U.S. Attorney's Office indictment said the employee stole the information between Aug. 2007 and March 2009. The employee had access to personal information from patients and their guardians but court papers did not say precisely where in the hospital she worked. The defendants, which include the employee and four other individuals ranging in age from 22 to 54 who received the information from the employee, face a maximum sentence of 30 years in prison for conspiracy to commit bank fraud and two years in prison consecutive to any other sentence for aggravated identity theft.
Read more on data breaches:
-Fraud Solutions Company Forecasts Top Security Issues for 2011
-Crisis Communication During a Data Breach: 5 Best Practices
-Laptop Theft: #1 Cause of Health Data Breaches