Lucile Packard Children’s Hospital (LPCH) at Stanford is appealing a California Department of Public Health (CDPH) penalty issued on April 23, 2010. The fine of $250,000 was levied as a result of a late reporting of a security incident. According to a September 9, 2010 press release issued by the hospital, the incident was related to “the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients.” The press release further states:
The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services. Theft charges have been filed against the former employee.
The LPCH data breach is generally considered the most common form of breach, namely one that involves a stolen or lost laptop. No matter how much training you provide or how many times you emphasize there is zero tolerance for mishandling laptops, there will always be negligent or reckless conduct involving laptops. On top of all the hard forensics and notification costs associated with such events, California hospitals also now have to deal with significant regulatory penalties for these mistakes. Thankfully, incidents have been slightly decreasing due to better practices and there exist low-cost insurance solutions that pick up breach expenses/fines on those occasions when an incident is not avoided.