For the second time in four months, Truman Medical Centers has suffered a data breach, this one involving more than 114,000 patients.
The Kansas City safety net hospital informed the Department of Health and Human Services’ Office for Civil Rights that the cause of the breach was a laptop theft on Dec. 5.
Leslie Carto, a spokeswoman for the hospital, said the work-issued laptop was stolen from an employee’s vehicle.
The computer was password-protected, Carto said, and “there’s no evidence that any unauthorized party accessed, viewed or misused the information.”
“While we think the odds of the thief being able to crack the password and find any PHI (protected health information) are slim, we owe it to our patients to let them know about the theft,” Carto said.
Truman is offering credit monitoring services to patients who request them.
In August, Truman was hit with a ransomware attack that locked the hospital out of parts of its computer system.
Truman agreed to pay a small, undisclosed amount of money to the ransomware attackers to unlock the data. The hospital said that patients’ personal health and financial information was kept on another system and was not affected by that attack.
Data breaches are a huge problem for the healthcare industry, costing it $4 billion this year, according to a survey by Black Book Market Research. The survey says that more than 93% of healthcare organizations have experienced a data breach in the last three years and 57% have had more than five data breaches during the same period.
In the first seven months of 2019 alone, more than 31 million health records in the U.S. were compromised by security breaches. That was more than double the number of incidents affecting the healthcare industry in all of 2018.
Medical records can command up to $1,000 on the internet’s dark web – encrypted online content that’s accessible only with special browsers – compared with up to $110 for credit card information or $1 for Social Security numbers.
A year ago, a local anesthesia group notified 3,472 patients that some of their personal information may have been compromised after surgery schedules were stolen from an employee’s car.
Anesthesia Associates of Kansas City, which is based in Overland Park, said that a nurse anesthetist had placed a backpack containing the schedules in a visible part of his car – a violation of the group’s data security protocols.
Last month, another laptop theft, at Washington University School of Medicine in St. Louis, involved 3,237 patient records.
And in September, Ferguson Medical Group in Sikeston, Missouri, was hit with a ransomware attack, rendering inaccessible medical records for services the group had provided before Jan. 1, 2019. The group did not pay a ransom; it was able to restore access to most but not all of the records through backup files.
Saint Francis Medical Center in Cape Girardeau, which recently acquired Ferguson Medical Group, said it did not believe the incident resulted in the disclosure of patient information to unauthorized parties.
Dan Margolies is a senior reporter and editor at KCUR. You can reach him on Twitter @DanMargolies.