[ISN] McKesson: Stolen Computers Contain Patient Information

From: InfoSec News (alerts@private)
Date: Sun Sep 09 2007 - 23:11:50 PDT


By Sharon Gaudin
September 7, 2007

Health-care services company, McKesson, is alerting thousands of its 
patients that their personal information is at risk after two of its 
computers were stolen from an office.

The company, which helps pharmaceutical manufacturers set up assistance 
programs for patients in need, sent out a letter alerting patients that 
the computers were stolen on July 18. The names of the people being 
alerted were on one of the two PCs, but it's not known how much of their 
accompanying identifying information was also contained on the machines.

"Your personal information may have been on one of the two computers 
that were stolen from a McKesson office," wrote Patrick Blake, president 
of McKesson Specialty Pharmaceutical, in the letter to one patient. "At 
this point, we have not determined if your personal information was on 
either stolen computer. However, we are taking the precaution of 
notifying every patient whose information might have been on the 
computers, just to be safe."

A spokesman for McKesson did not return phone calls requesting comment, 
but a company representative on the McKesson hotline said "thousands" of 
patients were affected and letters were sent to everyone who had at 
least a name on one of the machines. It's possible that identifying 
information, including addresses, prescribed medications, dosages, 
Social Security numbers, and dates of birth, also were contained on the 
computers. The loss appears to affect both current and former patients.

The company representative said it's not clear if the data on the 
machines was encrypted. Local police and the FBI have been called in on 
the investigation.

Blake's letter suggested that those contacted put a fraud alert on their 
credit files. The representative on the McKesson hotline said the 
company would give customers a year of free credit reporting if they 
requested it.

"We also have taken steps to ensure this doesn't happen again by 
increasing and improving employee understanding and awareness of 
corporate security policies and procedures, policies for handling 
patient data, and company security processes," wrote Blake. "We deeply 
regret that this incident occurred."

The hotline number is: 866-554-6366.

The impact of data theft is usually severe when health-care companies 
are involved. Earlier this year, a laptop was stolen from a secure 
office in a Texas hospital group, putting identifying information on 
7,800 patients without health insurance at risk. The Seton Family of 
Hospitals reported in February that a security camera captured video of 
a thief carrying out a laptop and a projector. The laptop contained 
identifying personal information such as Social Security numbers, dates 
of birth, and insurance program numbers.

Visit the InfoSec News Bookstore

This archive was generated by hypermail 2.1.3 : Sun Sep 09 2007 - 23:20:04 PDT