Lucile Packard Children’s Hospital at Stanford is notifying nearly 13,000 patients by mail that a password-protected, non-functional laptop computer that could potentially contain limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital sometime between May 2 and May 8.
This incident was reported to Packard Children’s on May 8. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement, hospital officials said. To date, there is no evidence that any pediatric patient data has been accessed by an unauthorized person or otherwise compromised.
The information that could potentially have been on the stolen computer related to operating room schedules, which the employee accessed as part of her work functions through Packard Children’s secure and encrypted electronic systems. The computer was password protected, but some information could have transferred to the laptop, and the laptop was not encrypted. The computer was outdated and damaged, thus on a schedule for collection by information technologists.
The information did not include financial or credit card information, nor did it contain Social Security numbers, insurance numbers or any other marketable information. The information on the operating room schedule that could have transferred to the computer would have been patient names, ages, medical record number, telephone number, scheduled surgical procedure, and name of physicians involved in the procedure over a three-year period beginning in 2009.
This is not the medical center’s first HIPAA breach this year. In January, the Palo Alto, Calif.-based Lucile Packard Children's Hospital notified approximately 57,000 patients of a data breach after an unencrypted company laptop containing patient medical information was stolen from a physician's car.