WASHINGTON, D.C. (WUSA) - Howard University Hospital this week sent notification to patients of a potential disclosure of their protected health information in late January. A former contractor's personal laptop containing patient information was stolen, according to a statement by the hospital.
The laptop, taken from the former contractor's vehicle, was password protected.
No evidence suggests that any of the patients' files have been accessed. The former contractor downloaded the files to a personal laptop in violation of Howard University Hospital policy and federal health care rules.
"We regret this incident, and we have already put in new procedures to prevent similar violations in the future," said Larry Warren, the hospital's CEO, in a statement.
The hospital says it has strengthened its contractor policies to make clear that data and laptop encryption are required. Additionally, all laptops issued to Howard University Health Sciences personnel will be encrypted.
The hospital has sent letters to 34,503 patients affected by the breach. The records contained the Social Security numbers for a number of those patients. The hospital has recommended patients contact their banks and credit card companies immediately to notify them of the potential disclosure of their Social Security number.
In addition, the hospital will provide those patients whose Social Security numbers were included in the information on the laptop with identity theft alert coverage for a period of one year. Patients cansign up for the program by asking to be enlisted using the envelope addressed to the hospital attached to each outgoing letter.
The hospital also suggested that patients check with their banks, credit card companies and other financial institutions for any unusual activity on their accounts. The hospital included in the notice contact information for the three major credit reporting agencies - Equifax, Experian and TransUnion - so that concerned patients can establish a fraud alert with the agencies and request a free credit report to check for signs of illegalactivity.
The contractor, who stopped working for the hospital in December 2011, reported the theft of the laptop to police on Jan. 25. The contractor subsequently notified hospital officials of the theft. Hospital officials immediately launched an investigation and found the former contractor's laptop contained patient information. The data varied in the types of information contained, but included some or all of the following: names, addresses, Social Security numbers, identification numbers, medical record numbers, birthdates, admission dates, diagnosis-related information and discharge dates.
The diagnosis-related material primarily consisted of medical codes used by hospitals and other medical institutions. In a minority of cases. the information includes written descriptions of a patient's medical procedures or condition. The information primarily covers patients who received treatment at the hospital between December 2010 and October 2011, although in some cases the data extend back to 2007.