A desktop computer containing the personal information of 5,783 patients was stolen from Johns Hopkins Hospital in mid-July, and the hospital waited more than five weeks to inform the patients or their families of the theft.
The computer, taken from an "administrative work area" in a building on Johns Hopkins' main campus the night of July 15, contained patients' names, Social Security numbers, birth dates, medical histories and other personal information, according to Hopkins officials. Another computer and a projector were also stolen.
Such potential breaches of personal privacy are becoming more common, in Maryland and across the U.S. In February, Hopkins reported it couldn't locate computer tapes containing personal information on 135,000 employees and patients.
In May 2006, a laptop containing the Social Security numbers of more than 26 million veterans and their spouses was stolen from the Montgomery County home of a Department of Veterans Affairs employee, and later recovered. Last May, St. Mary's Hospital in Leonardtown announced that a laptop containing data on 130,000 former and current patients had been stolen. And last weekend, a Maryland Department of the Environment laptop containing personal records of 10,000 people was taken from an employee's car.
In the latest incident, recordings from video surveillance cameras led authorities to issue criminal summonses for a Hopkins employee and an employee of an on-site vendor, Hopkins spokesman Gary Stephenson said yesterday when contacted by The Sun. He didn't identify the two workers.
Officials said the computer, which was attached to a desk with a steel cable, was password-protected, but the data it contained were not encrypted or password-protected.
Computer not found
Hopkins officials apologized to patients for "any inconvenience or worry caused by the theft." Stephenson said it was "highly likely" the computer was sold for the value of its hardware. It has not been located.
"We have no reason to believe any of the data has been misused," said Stephenson.
The hospital filed a report with police two weeks after the theft but waited until Aug. 24 to begin sending letters to patients to inform them that their personal information was missing.
Stephenson said Hopkins did not make a public announcement and delayed contacting patients in part because public disclosure "might have sabotaged the effort" to recover the computer. He said it also took time to reconstruct the list of patients in the missing database, prepare notification letters and arrange help for anyone affected.
Hopkins has set up a telephone hot line for concerned patients and family who have questions about the data breach. The hospital is also offering to pay for credit monitoring and counseling services for a year, and is promising to help patients if they become the victims of identity theft.
The Sun learned of the theft from a patient who said she didn't receive a letter from Hopkins until Tuesday.
"It was very upsetting," said the woman, who asked to remain anonymous because of her condition. "I asked them what was being done, and they told me, 'We will be studying the situation.' This is not a satisfactory answer for someone who tries to protect their privacy."
The woman said she is being treated for cancer at Hopkins' Sidney Kimmel Comprehensive Cancer Center but has also gone to outpatient clinics on the hospital campus.
Stephenson said that records of past and current patients were on the computer and that 1,202 of the patients were already deceased at the time of the theft.
The database was developed to supply a tumor registry required by state law, Stephenson said. Such databases can help researchers study cancer prevention and treatment.
Linda Foley, founder of the Identity Theft Resource Center in San Diego, said that Hopkins' response seemed slow but that determining whose personal information has been stolen can take time.
However, she added, institutions should notify victims of information theft promptly so they can inform credit agencies.
"The sooner you can get fraud alerts out to the credit agencies, the better," she said.
In February, after Hopkins' report of missing computer tapes, privacy advocates criticized the institution for not protecting personal information by encrypting the data. An investigation later determined that the tapes were probably destroyed.
Johns Hopkins University President William R. Brody apologized at that time, saying the university would review its "processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again."
'Struggling with issue'
Stephenson said that Hopkins has begun encrypting information stored on its computers, but that "much data stored in computers used by Hopkins remains unencrypted."
"It is rare for medical centers to encrypt all databases of private information within a network," he said. "Academic medical centers everywhere are struggling with the issue."
Foley said medical institutions have moved less quickly than other types of businesses to protect people-sensitive information.
"The businesses are sensitive to the fact that if someone doesn't feel comfortable, they will take their money elsewhere," she said. "But if you're having appendicitis, you don't ask which hospital has the best [privacy] practices. My health is the major concern; personal privacy comes second."