Saint Francis Health System in Oklahoma has suffered a data breach involving the theft of a PC from a defunct outpatient facility.
in Tulsa, Okla., has become the latest health care
provider to report a major data breach, this one resulting from the theft of a
PC containing personal information for 84,000 patients.
occurred in a building that formerly housed the Saint Francis Broken Arrow
outpatient facility, which closed in 2007. The building is now an imaging
center, but the data center from the old outpatient branch remains in
discovered the breach Jan. 14 and notified the police immediately, according to
the hospital. A police investigation is under way.
In an email,
Saint Francis spokesperson Sevan Roberts referred eWEEK to its Feb. 11 press
release. "To my knowledge, the police investigation is continuing,"
sincerely apologize for any inconvenience this has caused our patients and
employees from Saint Francis Broken Arrow," the hospital wrote in the
says it has implemented new security measures following the incident, including
monitoring remote data facilities, such as Broken Arrow, more closely and
implementing advanced data security for stored data through a third party.
A letter the
hospital mailed to patients and employees on Feb. 10 suggested that affected
individuals watch their credit card statements, bank accounts, credit reports
and health records for fraud.
know that we continue to work closely with law enforcement authorities in an
effort to retrieve the stolen equipment and data files contained therein,"
Saint Francis wrote in its letter.
also suggested contacting the credit agencies to report fraud alerts and
requesting a free credit report at AnnualCreditReport.com.
burglary, the stolen computer had last been used in 2004, according to the
hospital. The PC held billing data for patients and hospital employee records.
records included names, Social Security numbers, addresses and pre-2004
lost employee records held Social Security numbers, birth dates, salary
information and mailing addresses.
breach affecting 84,000 patients, Saint Francis says this number amounts to
less than 5 percent of former patients in its database.
possible that the thief was primarily interested in the value of the computer equipment
components, not the data stored therein," Saint Francis wrote in its
letter. "Special expertise and tools would be required to access and use
the data stored on the stolen equipment due to the password protection
associated with the data and the age and type of the equipment."
suffered two similar breaches in the last several years. No identity theft or
misuse of the missing data has occurred, according to Saint Francis.
customary following data breaches, Saint Francis will offer free identity-theft
protection to former patients and employees. Saint Francis has set up a hotline
(877-747-0021) to inform patients and employees about the breach.
The breach at
the Saint Francis building follows several other recent incidents plaguing
health care organizations. Insurer Health Net
faced criticism for waiting until
March 14 to report a data breach it discovered on Jan. 21 involving nine lost
server drives with data on possibly 2 million people.
On Jan. 31,
nonprofit health system Henry Ford Medical Center in Detroit discovered a flash
drive was missing with data for 2,777 patients, and in October, the AmeriHealth
Mercy insurance company reported the loss of a portable flash drive
information on 280,000 Medicaid recipients.