A University of Texas cancer center today began notifying almost 30,000 patients that their personal data was stolen after someone swiped an unencypted laptop from a physician’s home almost two months ago.
The University of Texas MD Anderson Cancer Center issued a news release saying it waited to notify victims until it had conducted a thorough investigation following the reported theft on April 30. The next day, officials said, MD Anderson began working with outside forensics experts to determine what information was on the stolen computer. That data included patient information such as names, medical record numbers and treatment and research information. In about 10,000 cases, it also included Social Security numbers.
“There is an ongoing criminal investigation into the theft, and MD Anderson is working closely with law enforcement to recover the computer. MD Anderson takes this incident very seriously and is committed to protecting patient privacy,” according to the prepared statement.
The center’s senior vice president for business affairs told the Houston Business Journal the hospital waited to send letters to victims until it was more certain what unencrypted information was on the laptop since it differed for various patients.
“We moved with as much dispatch as we could, not wanting to create unnecessary anxiety” for unaffected patients, Dan Fontaine said.
He also said in a message to employees, “We have no reason to believe that the computer was stolen for the information it contained.”
The cancer center is offering credit monitoring services for those whose Social Security numbers were compromised and taking steps to better secure all MD Anderson computers and the patient data held within them. Additionally, hospital officials say they will reinforce privacy policies so all employees properly handle patient data.
Last year MD Anderson treated more than 108,000 patients, including nearly 10,000 enrolled in clinical trials involving experimental treatments, the largest such program in the nation.