Cedars-Sinai Health System is notifying its patients of a HIPAA breach, after an unencrypted hospital laptop containing patient medical data and Social Security numbers was stolen from an employee's home. 

 

Despite saying they were mailing breach notification letters this week, hospital officials said they didn't know how many patients were affected by the June 23 HIPAA breach. CS officials launched an investigation into the theft more than two months ago. Multiple requests for the number have been unsuccessful.  

 

The laptop stolen contained patient diagnoses, treatment data, lab tests, Social Security numbers in many cases, patient ID numbers and other personal information. 

 

[See also: Breach alert: Hackers swipe data of 4.5M and Groups hit with record $4.8M HIPAA fine.]

 

According to Cedars-Sinai officials, the employee used the unencrypted laptop to troubleshoot software and worked outside of normal business hours, which was why the laptop was taken home. 

 

Despite it being Cedars-Sinai's policy to encrypt devices, "when the operating system was changed on this particular laptop to enable it to run particular programs, the encryption software was erroneously not reinstalled," said hospital spokesperson Sally Stewart, in an emailed statement. Stewart did not respond when asked if there were potentially other laptops that may also have gone under the radar of the policy or whether the hospital's policy is to encrypt all laptops and devices.   

 

"Even a potential data security incident on a single computer, as has occurred here, is not acceptable to us," said Cedars-Sinai Chief Privacy Officer David Blake, in an Aug. 22 statement. "We apologize to the people affected by this incident, and have taken actions to prevent any re-occurrence."

 

Cedars-Sinai just last year made privacy headlines when six of the hospital's employees were fired after snooping on the medical records of more than a dozen patients, one of them reportedly Kim Kardashian. 

 

[See also: Vendor sacked for HIPAA breach blunder.]

 

More than 33.8 million people have had their protected health information compromised in HIPAA breaches, according to data from the Office for Civil Rights, the HHS division responsible for investigating HIPAA violations. And some 64 percent of all HIPAA breaches involved theft or loss of paper records or unencrypted devices. 

 

Earlier this year in its annual breach report, Verizon analysts examined some 63,000 security incidents and more than 1,300 breaches, and found that the lion's share of healthcare data security incidents did indeed stem from physical theft or loss of unencrypted devices. 

 

This stood as the highest percenaget across any of the 19 industries analyzed in the report. So, not only are organizations failing to encrypt mobile devices and laptops, but healthcare employees are also being notably negligent with how they handle these devices -- leaving them unsecured in personal residences or personal vehicles, for instance.  

 

"(Physical theft and loss) is the biggest hands down problem in healthcare that we are seeing," said Suzanne Widup, senior analyst on the Verizon RISK team, discussing the 2014 annual Verizon breach report in April. "It really surprises me that this is still such a big problem ... other industries seem to have gotten this fairly clearly."

 

Of course, the healthcare numbers are going to be slightly higher because the federal government has put mandated specific HIPAA privacy and security breach notification requirements for healthcare organizations, but that doesn't change the reality that these organizations still fail to implement basic encryption practices, added Widup.