MidState Medical Center is investigating a data breach involving a hospital worker misplacing an external hard drive that stored data on 93,500 patients.
MidState Medical Center
, in Meriden, Conn., has reported the loss of an external hard drive containing information on 93,500 patients.
State law enforcement and consumer protection advocates are also investigating this data breach.
Built in 1998, MidState Medical Center is an affiliate of Hartford
HealthCare and serves central Connecticut.
The employee, whom MidState did not name, violated hospital policy
by transferring patients' medical data to a hard drive and then
bringing it home. Somewhere between the hospital and the employee's
home, the hard
drive went missing and has not been found.
The individual was an employee of sister facility Hartford Hospital
and is no longer employed by the hospital system, Pam Cretella, a
spokesperson for MidState, told eWEEK. She was unable to confirm that
the employee had been dismissed.
Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William M. Rubenstein have asked MidState for
additional information on the breach.
"I strongly believe in protecting the confidentiality of patients'
private information," Jepsen said in a statement. "Hospitals,
like health insurance companies, have access to very sensitive health
and personal information. They have a duty to protect that information
Patient records on the missing hard drive included names, addresses,
dates of birth, marital status and medical record numbers as well
as, in some cases, Social Security numbers.
The hospital learned of the breach on Feb. 15 and mailed letters to notify patients almost two months later, on April 5.
Like with most of the recent data breaches, MidState has offered affected patients two years of security through the Debix Identity Protection Network
The hospital also recommended that its patients check their credit reports for fraudulent activity.
In addition to contacting law authorities, the hospital hired a
private investigator to look for the hard drive. MidState is also
reviewing its security policies and procedures to see how to improve
them, according to Cretella.
"We did have policies and procedures in place, but we're going to
review them to see if they need to be updated in any way and to
educate employees so that they are aware as well," Cretella said.
"Ensuring that companies comply with the law before consumers get
hurt is always more effective than trying to protect consumers
after a breach," Rubenstein said in a statement. "We will assess the
hospitals' security protocols to assure that a system is in place to
this kind of breach from happening again."
No evidence indicates that patient information on the hard drive has been used, Cretella stressed.
"Our patients' personal information and their protection is a big priority for us, and we apologize that this happened,"
Cretella said. "We're taking steps to ensure that something like this doesn't happen again."
The MidState data breach is not the only recent incident involving missing hardware.
On March 14, health insurer Health
reported the loss of nine server drives containing information on 2
million people, and on Feb. 11 Saint Francis Health System in Oklahoma
reported the theft of a PC from an outpatient
facility no longer in use.
Meanwhile, on Feb. 23, Henry
Ford Health System
in Detroit notified the public of a missing flash drive holding
information on 2,777
patients. Under its "zero-tolerance policy," Henry Ford threatened to
suspend or terminate employees who fail to secure PCs, smartphones or