Conn. AG has questions about hospital security breach
HARTFORD, Conn. (Legal Newsline) - Connecticut Attorney General George Jepsen has requested information from Hartford Hospital about why the unencrypted personal health information of approximately 9,000 patients was located on a laptop stolen from a third-party vendor.
Jepsen sent a letter to the hospital on July 16, which was also the day he was notified about the breach discovered by the hospital in late June. The letter outlined the scope of the request ranging from how the breach occurred to the steps that have been taken by the hospital and its vendors to safely guard such sensitive information.
The letter was sent to an attorney representing the hospital.
"I am very concerned about the number of records and the nature of the personal information that was lost," Jepsen said. "It is important to learn why records of this kind were stored in unencrypted files on a personal laptop and whether any additional information may be at risk."
The letter also requested that the hospital provide two years of credit monitoring services, two years of identity theft insurance and a payment for a security freeze to be placed and lifted from credit reports for all patients whose information was lost.
Hartford Hospital has acknowledged that it lost the data of 7,461 VNA Healthcare patients and 2,097 Hartford Hospital patients. The records included the medical record numbers, Medicare and Medicaid numbers, Social Security numbers, marital status, dates of birth, addresses, names, and certain treatment and diagnosis information of the patients.
The laptop belonged to an employee of Greenplum, a subsidiary of EMC Corp. EMC Corp. is a vendor performing a project related to quality improvement on hospital readmissions. The laptop theft is being looked into by the police.
Jepsen wants to see the procedures and policies the hospital uses to secure and protect personal information under the federal Health Insurance Portability and Accountability Act. Additionally, Jepsen requested to see the hospital's policies and procedures related to business associates and business associate agreements.