Less than a year after its last data breach, Stanford University’s Hospital and Clinics and the School of Medicine has begun to notify approximately 2,500 patients of a second breach after the theft of a laptop from a physician’s locked office.
According to reports late last week, the computer was stolen on July 15 or 16 and while there was no evidence any personal information was compromised, the university was in the process of sending out letters to those whose information might be at risk.
The password-protected laptop is programmed to alert the school if it’s connected to the Internet, yet no connection has been detected thus far.
While the computer doesn’t contain the complete medical records of any patient, it does contain a slew of patients’ names, location of service, medical record numbers, treatment history, birth dates and in some cases, Social Security numbers.
The hospital suffered a more widespread but less critical data breach last August after the information of 20,000 patients was found online. This batch of information, culled from a six month period at the hospital’s emergency room didn’t include Social Security numbers or birth dates but did include names and diagnosis codes. The information had been floating around online in spreadsheet form, in a vendor’s electronic file, for almost a year according to a New York Times report last September. The file was found on August 22 and removed the next day but still prompted the filing of a $20 million class action lawsuit against the hospital and the vendor involved in the breach, Multi-Specialty Collection Services, LLC (MSCS).