Oklahoma Health System Loses PC Holding Personal Data of 84,000 Patients

Saint Francis Health System in Tulsa, Okla., has become the latest health care provider to report a major data breach, this one resulting from the theft of a PC containing personal information for 84,000 patients.

The theft occurred in a building that formerly housed the Saint Francis Broken Arrow outpatient facility, which closed in 2007. The building is now an imaging center, but the data center from the old outpatient branch remains in existence.

Saint Francis discovered the breach Jan. 14 and notified the police immediately, according to the hospital. A police investigation is under way.

In an email, Saint Francis spokesperson Sevan Roberts referred eWEEK to its Feb. 11 press release. "To my knowledge, the police investigation is continuing," Roberts wrote.

"We sincerely apologize for any inconvenience this has caused our patients and employees from Saint Francis Broken Arrow," the hospital wrote in the statement.

The hospital says it has implemented new security measures following the incident, including monitoring remote data facilities, such as Broken Arrow, more closely and implementing advanced data security for stored data through a third party.

A letter the hospital mailed to patients and employees on Feb. 10 suggested that affected individuals watch their credit card statements, bank accounts, credit reports and health records for fraud.

"Please know that we continue to work closely with law enforcement authorities in an effort to retrieve the stolen equipment and data files contained therein," Saint Francis wrote in its letter.

Saint Francis also suggested contacting the credit agencies to report fraud alerts and requesting a free credit report at AnnualCreditReport.com.

Before the burglary, the stolen computer had last been used in 2004, according to the hospital. The PC held billing data for patients and hospital employee records.

Patient records included names, Social Security numbers, addresses and pre-2004 diagnostic data.

Meanwhile, the lost employee records held Social Security numbers, birth dates, salary information and mailing addresses.

Despite the breach affecting 84,000 patients, Saint Francis says this number amounts to less than 5 percent of former patients in its database.

"It is possible that the thief was primarily interested in the value of the computer equipment components, not the data stored therein," Saint Francis wrote in its letter. "Special expertise and tools would be required to access and use the data stored on the stolen equipment due to the password protection associated with the data and the age and type of the equipment."

The hospital suffered two similar breaches in the last several years. No identity theft or misuse of the missing data has occurred, according to Saint Francis.

As is customary following data breaches, Saint Francis will offer free identity-theft protection to former patients and employees. Saint Francis has set up a hotline (877-747-0021) to inform patients and employees about the breach.

The breach at the Saint Francis building follows several other recent incidents plaguing health care organizations. Insurer Health Net faced criticism for waiting until March 14 to report a data breach it discovered on Jan. 21 involving nine lost server drives with data on possibly 2 million people.

On Jan. 31, nonprofit health system Henry Ford Medical Center in Detroit discovered a flash drive was missing with data for 2,777 patients, and in October, the AmeriHealth Mercy insurance company reported the loss of a portable flash drive holding information on 280,000 Medicaid recipients.