Laptop Theft Exposes Data on 16,000 Patients in Minnesota


The theft of a laptop might have exposed health data on more than 16,000 patients at Fairview Health Services and North Memorial Medical Center, two Minnesota-based health care systems, the Minneapolis Star Tribune reports (Lerner/Kennedy, Minneapolis Star Tribune, 9/28).

Details of the Breach

The theft occurred after an employee of Accretive Health -- a revenue cycle management company working with Fairview and North Memorial -- left the laptop in a locked car on July 25 (Goedert, Health Data Management, 9/28).

Hospital officials said they waited until now to begin notifying patients about the data breach because it took time for investigators to determine what information was compromised.

Officials said the laptop was unencrypted and included data on about 14,000 Fairview patients, including:

  • Birth dates;
  • Names;
  • Social Security numbers; and
  • Some medical information.

They noted that the laptop also included data on about 2,800 North Memorial patients, including:

  • Names;
  • Medical record numbers; and
  • Limited clinical information (Minneapolis Star Tribune, 9/28).

The laptop did not include any patients' credit card information.

Hospital Officials' Response

Fairview and North Memorial officials said there is no evidence that the information has been misused (Snowbeck, St. Paul Pioneer Press, 9/27).

Fairview officials noted that the hospital system and Accretive both have policies to encrypt laptops, but that the Accretive employee in question did not comply with the policy.

Fairview is offering one year of free identity theft protection and fraud monitoring services. If necessary, those affected could be eligible to receive $20,000 of identity theft reimbursement, paid for by Accretive.

In addition, Fairview officials said they plan to limit their use of Social Security numbers in the future (Health Data Management, 9/28).

Allan Rodriguez
As a hospital compliance officer I find this very scary. If Accretive has a policy to encrypt laptops, then how could the employee have not complied? The employee is not responsible for encrypting his/her laptop. Either Accretive encrypts its laptops or it doesn't. It sounds like it doesn't, which, if true, puts all of it's clients at inappropriate risk. Hopefully, Accretive clients will demand proof of encryption and other HIPAA required protections. Frankly, Accretive should be sanctioned more sternly as it supposedly is a sophisticated IT company and should be expected to be expert at protecting PHI!

to share your thoughts on this article.