A laptop stolen from a member of the faculty of LSU Health New Orleans School of Medicine has potentially exposed the protected health information of approximately 5,000 minor patients primarily living in Louisiana and Mississippi.
Dr. Christopher Roth, Assistant Professor of Urology, reported that his university-issued laptop was stolen from his car sometime between the evening hours of July 16 and the early morning hours of July 17, 2015. The car was parked in front of his home. Dr. Roth said he discovered the theft on the morning of the 17th as he was leaving to attend clinic. He reported the theft to law enforcement and the university. The laptop has not been recovered.
The information on the laptop included names, dates of birth, dates of treatment, descriptions of patients’ conditions, treatments, and outcomes, lab test results, radiological and ultrasound images, medical record numbers, and diagnosis and treatment information. No Social Security numbers, credit card, bank account information or other financial data were stored on the laptop.
When the theft was reported, the Office of Compliance at LSU Health Sciences Center New Orleans began the difficult and laborious process of trying to reconstruct the files that could have been stored on the laptop to identify any patients whose information may have been compromised. When using the laptop, the data were not saved to LSU Health Sciences Center New Orleans servers, but, instead, to the laptop’s hard drive, so the specific data stored on the laptop cannot be accessed by the university.
The process to reconstruct and ready notifications took nearly eight weeks to complete. It is unknown whether any specific patient’s data were on the stolen laptop, however those patients the university suspects may have been affected will receive individual notification by mail, along with information about protecting against identity theft.
While the exhaustive investigation appears to have found thousands of patients, others may remain unidentified. The university asks that patients of Dr. Roth from July 2009 to July 16, 2015, who do not receive a letter either call 504-568-8672 or toll free 1-844-578-2656 or email LSUHSCNO-PatientQuestions@lsuhsc.edu.
Although the university is not aware of any access or misuse of the data, patients of Dr. Roth are strongly encouraged to visit the website www.identitytheft.gov, which provides a step-by-step process to respond to, and recover from, incidents of identity theft.
The university genuinely regrets any hardships this incident may have caused. In an effort to mitigate any adverse effects arising from the theft, LSU Health Sciences Center New Orleans is offering a one year subscription to a credit monitoring service for patients affected by this breach. Affected patients who wish to take advantage of this offer or need additional information should call 504-568-8672. Those patients outside the 504 area code should call 1-844-578-2656. Questions and requests can also be sent via email to LSUHSCNO-PatientQuestions@lsuhsc.edu.
LSU Health Sciences Center New Orleans’ policy requires users of its SYSTEM IT infrastructure to take reasonable care to avoid allowing unauthorized access to or disclosure of protected and restricted information stored on a mobile device and prohibits users from leaving SYSTEM-owned mobile devices unattended.
The policy was not adhered to in this instance, and appropriate disciplinary action will be taken at the conclusion of the investigation. In addition, the university is reviewing its information security policies and procedures to determine if improvements can be made to further reduce the risk of such a breach in the future. Any changes will be included in the information security training that all employees and students are required to complete.