Stanford reports fourth HIPAA breach

Some 57,000 pediatric patients get notified

Some 57,000 patients seen at the Palo Alto, Calif.-based Lucile Packard Children's Hospital have been notified of a potential HIPAA-breach after an unencrypted company laptop containing patient medical information was stolen from a physician's car Jan. 9. 

The 311-bed hospital, an academic medical center on the Stanford University campus, announced Monday that the patient information compromised included names, dates of birth, medical record numbers and other clinical data. Officials say the stolen laptop contained primarily patient data from 2009.   
 
[See also: Arkansas data breach remains unclear, gender discrimination lawsuit at core.]
 
Officials say the incident was reported to the hospital Jan. 10, which was followed by patient notification and an "ongoing investigation with security and law enforcement."
  
"As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data, including redoubling our efforts to ensure that all computers and devices containing medical information are encrypted," according to a press statement. 

[See also: Infographic: Biggest healthcare data breaches of 2012 .]
 
Despite the promises to strengthen policies and encryption efforts, this is not the first HIPAA data breach at Lucile Packard Children's Hospital or Stanford University Medical Center. Rather, it's the fourth. Three earlier events involving both groups have already been investigated by the HHS Office for Civil Rights.
 
[See also: Cancer Care data breach compromises 55,000.]
 
In 2010, Stanford Hospital & Clinics notified nearly 20,000 patients that their protected health information had been wrongfully posted to a student website, which resulted in a class action lawsuit filed for $20 million. Later in July 2012, Stanford University Medical Center notified 2,500 patients of a HIPAA-breach after an unencrypted computer was stolen from a physician's office. 
 
Moreover, in January of 2010, Lucile Packard Children's Hospital reported a breach involving more than 500 patients after an employee stole a hospital computer. The hospital failed to report the breach within the five-day timeframe established by the state and eventually was slapped with $250,000 in fines.
 
This story has been updated.