BOWLING GREEN, KY – A medical center in Kentucky is notifying 5,418 patients of a data breach that occurred when computer equipment, containing information on patients who underwent bone density testing, was stolen from its mammography suite. Hospital officials reported that the information on the hard drive was not encrypted, but was maintained in a locked, non-public, private area. 

Officials at The Medical Center at Bowling Green said the stolen piece of equipment held the data of patients who had bone density testing done between 1997 and 2009.

The Medical Center at Bowling Green is a 337-bed, full service, not-for-profit hospital and is the flagship hospital for the Commonwealth Health Corporation (CHC), a not-for-profit holding company for hospital and health related businesses in South Central Kentucky and beyond.

Hospital officials have determined that the information on the stolen device included each patient's full name, date of birth, address, medical record number and physician name. Some patients' records also included information such as social security numbers, weight, height, and menopause age.

The hospital became aware of the theft on April 1 and immediately conducted a comprehensive investigation of the incident and reported it to the Bowling Green Police Department, according to officials.

"As a result of this breach, steps are underway to further strengthen the security of patient information. We will now archive data to a secure network, which will allow us to eliminate the need for use of a hard drive like the one that was stolen," said hospital officials. "Additionally, we will ensure that we do not have any other equipment
configurations that utilize a portable hard drive containing non-encrypted data."

The Medical Center is following all of the requirements of the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act, which include: notification of the U.S. Secretary of the Department of Health and Human Services; notification of patients who may have had their personal protected health information accessed by the breach; public disclosure to the local media; and posting information about the breach on The Medical Center's Web site.

"We have no reason at this point to believe the device was stolen for the information on it or that any personal information has been released or used," said hospital officials.

The Federal Trade Commission recommends the following steps to prevent any possible misuse of personal information:

• Monitor accounts and bank statements each month and check credit reports on a regular basis.
• Stay alert for the signs of identity theft, such as:
• Accounts you didn't open and debts on your accounts that you can't explain;
• Fraudulent or inaccurate information on your credit reports, including accounts and personal information, such as your Social Security number, address(es), name or initials, and employers;
• Failing to receive bills or other mail. Follow up with creditors if your bills don't arrive on time. A missing bill could mean an identity thief has taken over your account and changed your billing address to cover his tracks;
• Receiving credit cards that you didn't apply for;
• Being denied credit or being offered less favorable credit terms, like a high interest rate, for no apparent reason; and
• Getting calls or letters from debt collectors or businesses about merchandise or services you didn't buy.
• Obtain a free copy of your credit report from each of the three major credit bureaus (Equifax, TransUnion and Experian) by calling 1-877-322-8228 or by visiting this Web site.