Indiana University Health Arnett has notified over 10,000 patients after an unencrypted laptop was stolen from a car. The risks inherent to universities has been widely documented here but add in HIPAA and HITECH privacy & security to the mix and you have a risk management nightmare. This breach was a failure of proper policy, procedures, security infrastructure.
On April 10, 2013, we learned that an employee’s password-protected unencrypted laptop was stolen from the employee’s car the day before. The White County Sheriff’s Office was immediately contacted and we began an internal investigation. That investigation determined that the laptop contained patient information. Emails stored on the laptop’s hard drive may have contained patient names, dates of birth, physicians’ names, medical record numbers, diagnoses and dates of service. The laptop did not contain Social Security numbers, financial information, or patients’ medical records.
Password protect does not equal encryption and password protection does not equal good security. You can read the full press release here: Notice to IU Health Arnett Patients Regarding Missing Laptop