Attorney General Wants Information about Unencrypted Data Lost
in Hartford Hospital Data Breach
Attorney General George Jepsen is seeking more information from Hartford Hospital about why unencrypted personal information and protected health information of approximately 9,000 patients was stored on a laptop apparently stolen from a third-party vendor.
Attorney General Jepsen sent a letter to the hospital July 16, the same day he was notified about the breach that the hospital discovered in late June. The letter, to an attorney representing the hospital, outlined the scope of his request – from how the breach occurred to the steps being taken by the hospital and its vendors to safeguard sensitive information.
In addition, the Attorney General asked the hospital to provide patients whose information was lost with two years of credit monitoring services and identity theft insurance and to pay for a security freeze to be placed, and later lifted from a patient’s credit reports.
“I am very concerned about the number of records and the nature of the personal information that was lost,” Attorney General Jepsen said. “It is important to learn why records of this kind were stored in unencrypted files on a personal laptop and whether any additional information may be at risk.”
The hospital acknowledged this week that the lost data included records of 2,097 Hartford Hospital patients and 7,461 VNA Healthcare patients. They contained: names, addresses, dates of birth, marital status, Social Security numbers, Medicaid and Medicare numbers, medical record numbers and certain diagnosis and treatment information.
The hospital said the laptop belonged to an employee of Greenplum, a subsidiary of EMC Corp., a vendor performing a quality improvement project on hospital readmissions. The laptop theft was reported to police and is under investigation.
The Attorney General said he wants to see the policies and procedures the hospital uses to protect and secure personal information under the federal Health Insurance Portability and Accountability Act, as well as its policies and procedures governing business associates and business associate agreements.
Assistant Attorney General Matthew Fitzsimmons, head of the OAG’s Data Privacy Task Force, is assisting the Attorney General with this matter.