ONTARIO COMPUTER CONTAINING HOSPITAL PATIENT DATA STOLEN FROM RESEARCHER globeandmail.com: Information on 2,900 patients stolen with laptop:

Information on 2,900 patients stolen with laptop

Ontario Privacy Commissioner urges officials to encrypt personal health data

The theft of a researcher's laptop computer has exposed 2,900 current and former patients of Toronto's acclaimed Hospital for Sick Children to unauthorized release of their personal health information.

The stolen data contain information on 10 research studies involving patients in the rheumatology, endocrinology, infectious diseases and cardiac programs at the hospital. About 1,900 of the patients are now adults.

The theft took place on Jan. 4, but came to light with Ontario Privacy Commissioner Ann Cavoukian's announcement yesterday that she will release a report this morning on her investigation into the security breach.

Ms. Cavoukian was not available for comment yesterday. She said in her announcement that she is calling on every health-information custodian in the province to take a number of steps to protect patient information, including having it encrypted so hackers can't read it.

"There is no excuse for unauthorized access to personal health information due to the theft or loss of a mobile computing device," Ms. Cavoukian said. "Any personal health information therein must be encrypted."

The theft occurred on the evening of Jan. 4, when a doctor at Sick Kids left his car unattended after work in a public area with the laptopcomputer locked inside. Helen Simeon, a spokeswoman at Sick Kids, said someone broke into the doctor's car and stole the computer. Nothing else was taken.

The doctor immediately notified the police about the theft, Ms. Simeon said. Sick Kids, in turn, reported the incident to the Privacy Commissioner. On March 1, the hospital put a notice about the incident on its website.

"We wanted to notify patients first, and it took some time to find the names and who was actually involved in the studies," Ms. Simeon said.The hospital said the computer was protected by a password and it is not likely the data could be easily understood by someone who lacks clinical training.

It also said the care of patients is not affected because the stolen computer contained research data rather than patient charts, which would include a complete history of an individual. The data included information relevant to the studies that was taken from the patients' charts.

Ms. Simeon acknowledged that any savvy computer hacker would likely be able to access the data, despite the password. She said the hospital is working with Ms. Cavoukian's office to introduce better safeguards, including encryption devices.

"This is an incident that could have happened to anyone," she said. "He did what he could and responded immediately to report it, but I think, in general, people are cautious about information they take out of the hospital."

This is not the hospital's first security breach. About two years ago, a flash card, or electronic storage device, that contained data on 70 patients was lost.