Stanford reports fourth HIPAA breach

Some 57,000 pediatric patients get notified
By Erin McCann
11:00 AM

Some 57,000 patients seen at the Palo Alto, Calif.-based Lucile Packard Children's Hospital have been notified of a potential HIPAA-breach after an unencrypted company laptop containing patient medical information was stolen from a physician's car Jan. 9. 

The 311-bed hospital, an academic medical center on the Stanford University campus, announced Monday that the patient information compromised included names, dates of birth, medical record numbers and other clinical data. Officials say the stolen laptop contained primarily patient data from 2009.   
Officials say the incident was reported to the hospital Jan. 10, which was followed by patient notification and an "ongoing investigation with security and law enforcement."
"As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data, including redoubling our efforts to ensure that all computers and devices containing medical information are encrypted," according to a press statement. 
Despite the promises to strengthen policies and encryption efforts, this is not the first HIPAA data breach at Lucile Packard Children's Hospital or Stanford University Medical Center. Rather, it's the fourth. Three earlier events involving both groups have already been investigated by the HHS Office for Civil Rights.
In 2010, Stanford Hospital & Clinics notified nearly 20,000 patients that their protected health information had been wrongfully posted to a student website, which resulted in a class action lawsuit filed for $20 million. Later in July 2012, Stanford University Medical Center notified 2,500 patients of a HIPAA-breach after an unencrypted computer was stolen from a physician's office. 
Moreover, in January of 2010, Lucile Packard Children's Hospital reported a breach involving more than 500 patients after an employee stole a hospital computer. The hospital failed to report the breach within the five-day timeframe established by the state and eventually was slapped with $250,000 in fines.
This story has been updated.

More regional news

Doctor in PPE

Photo by Morsa Images/Getty Images

MemorialCare Saddleback Medical Center MemorialCare Health System mental health

MemorialCare Saddleback Medical Center (Credit: MemorialCare Health System)

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.