GEORGIA CANCER PATIENTS AT EMORY HOSPITAL TOLD THEIR PERSONAL DATA WAS ON STOLEN COMPUTERS TAKEN FROM ERS Cancer patients now face risk of ID theft, Emory warns | ajc.com

Cancer patients now face risk of ID theft, Emory warns

By BILL HENDRICK
The Atlanta Journal-Constitution
Published on: 01/02/07

The Emory and Grady patients were among thousands from hospitals in four states potentially affected by the theft of a computer in suburban Cincinnati.

The patient records included names, Social Security numbers, addresses, medical data and treatment information, Emory said in letters dated Dec. 20. The information was stored in acomputer stolen from an office of Electronic Registry Systems, one of Emory Healthcare's business contractors.

Emory spokeswoman Sarah Goodwin said confidential information from 32,071 patient files of Emory and Crawford Long patients had been taken, along with 5,959 from Grady. The Grady records were those of cancer patients treated by Emory physicians, Goodwin said.

Emory University owns Emory Healthcare, of which Emory Hospital and Crawford Long are a part.

Police in Ohio said the Nov. 23 theft appeared to be a "random smash and grab break-in" and not a theft "for purposes of stealing information off the computer."

Electronic Registry Systems is a vendor that provides cancer registry data processing services to Emory and other hospitals and health care systems around the country. Emory is required by law to collect, update and maintain the data contained in the registry. The records for Emory Hospital have been collected since 1977, since 1981 for Crawford Long and 1986 for Grady, Goodwin said.

The company said in a statement that the data is rigorously protected with "multiple layers of security" and that police have no evidence that thetheft was motivated by a desire to steal data.

Patient info from 3 other states

ERS said the computer contained confidential information on patients from Pennsylvania, Tennessee and Ohio as well as Georgia.

Geisinger Health System in Pennsylvania said files of 25,000 of its patients were among those in the computer that was stolen, and that it has notified them. Other hospitals involved include Williamson Medical Center in the Nashville, Tenn., area; one in Ohio and two other hospitals that were not identified. Numbers of affected patients from other hospitals were not released.

Emory Healthcare, in a statement by chief privacy officer Anne Adams, said, "We believe it is unlikely" that patients might be victimized by the theft.

"We know that this information and its security are important to you, as it is to us, and we are sorry that this situation has occurred," Adams said in the letter. "Fortunately, the registry information on thecomputer in question was double password-protected making it extremely difficult to access."

"We deeply regret any inconvenience this isolated and random incident may cause you," Adams wrote.

Emory sent a question and answer sheet with the letter, informing patients how to put a fraud alert on credit reports.

The patient information was collected under the Health Insurance Portability and Accountability Act, a federal law that seeks to protect patient health information.

In the two-page question-and-answer sheets that accompanied Emory's letter, patients were told fraud alerts can help prevent an identity thief from opening any accounts in their names.

Only one of the three consumer reporting companies need to be contacted, Emory said, because each is required to contact the other two.

Emory explained that the data was sent to ERS, which "helps numerous cancer registries to manage their data."

Lt. Mike Mathis of the Springdale, Ohio, police said the theft occurred in the suburb 15 miles north of downtown Cincinnati. Thieves broke a window to get into a three-story office building, then broke down the doors to several offices, including that of ERS, plus a loan office and a modeling agency, he said. Another tenant discovered the break-in and alerted authorities.

Two computers, one of them a laptop and the other a desk model, were taken from ERS, Mathis said. Besides computers, the thieves took a remote-control toy car and a print of the skyline of Cincinnati from offices in the building, Mathis said. They left the computers at the loan office intact.

Mathis said he had seen no evidence that identity theft was a motive in the burglary.

"I don't believe that's why the computers were taken, and I don't think the information is going to be accessed," he said.