John Muir Hospital in Walnut Creek reports HIPAA HITECH Breach of 5,450 patients

Since I used to live in the Walnut Creek area and have been to John Muir Hospital this breach struck a little closer to home.  Coupled with the breach at Kaiser, my current healthcare provider it seems like they are closing in on me.   I am not a paranoid person by nature but I am becoming increasingly aware that the likelihood of my healthcare data being exposed is way to high.  I give you the San Francisoco Business Times article in full because I think it is very well written and the last time I wrote about a breach I was berated for not giving enough information.  Be fully informed.

Monday, April 5, 2010, 1:52pm PDT
John Muir Health to notify 5,450 patients of data breach
San Francisco Business Times - by Chris Rauber

John Muir Health, the Walnut Creek-based hospital system, said Monday it has begun notifying 5,450 patients by mail of a “potential breach of their personal and health information.”

The move came after the theft two months ago of two laptop computers at the John Muir Physician Network Perinatal office in Walnut Creek, officials said April 5.

“The laptops were password protected and contained data in a format that would not be readily accessible. While we have no evidence that the information has been accessed or used inappropriately, we cannot rule out that possibility, and, therefore, are notifying patients to help protect their identity,” said Hala Helm, Muir’s vice president and chief compliance and privacy officer.

“We apologize for any inconvenience or anxiety this incident may cause our patients,” Helm said in the statement. “We take this issue very seriously and are committed to protecting the personal and health information of our patients.”

In addition to the Walnut Creek Police Department, the U.S. Department of Health and Human Services has been notified of the theft and possible privacy breach. John Muir Health said it is continuing to cooperate with the investigation.

After discovering the theft, officials notified the Walnut Creek police and “conducted a thorough internal investigation to determine what information was stored on the laptops, whether the information could potentially be accessed and, if so, who was potentially affected.”

External vendors and internal experts discovered that the missing laptops contained personal and health information going back more than three years.

Officials say they initiated the notification process as soon as they knew what information was stored on the missing laptops and which patients were affected. “We wanted to make sure we had accurate information and could address questions from our patients,” Helm said.

Although officials still hope the laptops will be found, they say it’s their responsibility “to help our patients protect themselves from the potential of identity theft and fraud.”

As a result, Muir is recommending that affected patients place a fraud alert on their credit files. The notification letter has details on how to do this, and the hospital system says it has arranged with Equifax to provide identity theft protection for those patients “at no cost to them for one year.”

Although John Muir officials say they believe reasonable safeguards were in place, including a locked and guarded building and password-protected laptops, they have since implemented additional security measures, “including data encryption software, as a result of this incident,” Helm said. “Patient information stored on laptops at the Perinatal office is now encrypted, and the laptops are locked down. Encryption software is also being installed on John Muir Health laptops throughout the organization.”

The breach is the latest to occur in the Bay Area and Northern California, following similar incidents at UC San Francisco and Kaiser Permanente. But the problem is national in scope, and similar data breaches have occurred coast to coast.


Chris Rauber covers health care, insurance and the wine industry for the San Francisco Business Times.

Get compliant, stay compliant, prove compliance with the Compliance Metertm.

Add Your Comments

(not published)