Elliot Hospital patients notified of data breachBy MARK HAYWARD
New Hampshire Union Leader
May 27. 2014 8:14PM
MANCHESTER — Elliot Hospital has notified about 1,200 patients of a data breach that happened in March when four computer workstations, which contained names and patient information, were stolen from an employee’s car.
The hospital stressed that the computer hard drives contained no electronic medical records or financial information. Only one Social Security number — that of a hospital employee who is also a patient — was on the computers.
The hospital notified 1,208 patients of the data breach in a letter dated May 16, said John Friberg, senior vice president of Elliot Health System. The thefts took place March 27.
Friberg said the delay involved the time that information-technology workers needed to reconstruct what was on the hard drives of the stolen computers. He said a general warning was not issued immediately because the information on the computers could not lead to identity theft.
“The sense of urgency wasn’t as great than it would be if this were financial or information from medical records,” Friberg said.
Friberg said the computer work stations were in the car of an Elliot worker who was transporting them from two Elliot locations to the Elliot at River’s Edge, where the hospital’s data destruction office is located.
He said the car was parked in Manchester when the equipment was stolen. It was not at an Elliot location, and Friberg said he can’t discuss whether anyone was disciplined for what happened. He did not know if the car was locked.
The stolen information included 20 emails, which contained the most sensitive data. Some of the emails included names along with information such as date of service, date of birth, address, telephone number and billing codes.The other names were on three spreadsheets. Some contained as little as patient name and date of service. Other spreadsheets included patient name, date of service and either a billing code or an internal record number that could indicate what physician the patient saw.Friberg said all the providers were primary care physicians, so the data could not be used to make an assumption about what kind of care the patient was receiving.Elliot has taken several steps to tighten computer security, Friberg said. PCs will no longer auto-archive data in the individual hard drive; rather, data will be archived centrally. And the hospital will roll out an encryption system for all PCs, rather than the laptops and notebooks that are now encrypted.Friberg said he did not want to identify the two Elliot Hospital locations from where the computers came. To do so would create unnecessary anxiety in patients whose data were not compromised, he said.“We don’t want to create the regulatory version of false positives,” he said.