[ISN] Health Care Firm Recovers Stolen Laptop

From: InfoSec News (alerts@private)
Date: Tue Aug 29 2006 - 00:05:49 PDT


By Linda Rosencrance
August 28, 2006 

A health care group in Michigan disclosed last Tuesday that a laptop PC 
containing personal information on about 28,000 home-care patients had 
been stolen in a car theft. But the company said Thursday that it had 
recovered the laptop and determined that the thieves hadn't accessed the 
patient data.

The data on the Dell laptop was encrypted and password-protected, 
according to a statement from William Beaumont Hospital in Royal Oak. 
But the car theft, which occurred Aug. 5 in Detroit, caused particular 
concern among hospital officials, because the affected employee's ID 
access code and password were written on a piece of paper that was taped 
to the inside of the stolen PC.

The employee, a nurse who has since been fired, was a new worker and was 
still completing orientation procedures, the hospital said when it 
disclosed the theft. It noted that Detroit police had recovered the 
nurse's car without the laptop.

However, Beaumont later said that the laptop had been found after a 
resident of the area from which the vehicle was stolen called a hospital 
official and said the thief had dropped the computer while being chased 
on foot by someone from the neighborhood.

The system's hard drive was examined by an independent computer 
forensics expert, who informed Beaumont that the patient data hadn't 
been accessed since the theft took place.

The data included the names, addresses, birth dates, medical insurance 
information, Social Security numbers and some personal health records of 
patients who had received home-care treatment from Beaumont over the 
past three years. The theft of the computer wasn't related to any 
knowledge of its data contents, the company said, adding that the system 
was in a bag in the back seat of the stolen car.

Beaumont operates hospitals in Royal Oak and Troy, Mich., plus medical 
clinics, other facilities and the home-care service. Chris Hengstebeck, 
director of security at the hospital in Troy, said in a statement that 
Beaumont officials "are so relieved to recover the laptop so that we can 
put our patients' minds at rest. And we are relieved that no one's 
personal or medical information was accessed."

Nonetheless, the company has taken a series of internal and external 
actions in response to the theft. For example, Hengstebeck said in an 
interview that the Beaumont Home Care employees directly involved in the 
incident no longer work for the company. That includes the nurse and her 
direct managers, he said.

Beaumont also said that its IT department has reviewed and strengthened 
computer security systems and processes. In addition, IT staffers have 
inspected all the laptops used by home-care workers and are reinforcing 
security and password procedures with employees companywide.

Beaumont sent a letter to all of its home-care patients to notify them 
about the missing laptop, and it has set up a toll-free hot line and a 
Web site to provide information. The company also will provide a year's 
worth of credit-reporting services to Beaumont Home Care patients 
through Trans Union LLC. That offer remains in place despite the 
recovery of the laptop, "out of consideration for the stress and concern 
caused patients by the theft," Beaumont said.

The company is paying a $2,500 reward to the Detroit resident who made 
the phone call.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/

This archive was generated by hypermail 2.1.3 : Tue Aug 29 2006 - 00:19:54 PDT