In the last few days, two hospitals have announced data breaches involving protected health information.

The first data breach incident, announced on October 1, 2013, involved St. Mary's Janesville Hospital, a 50-bed facility serving residents of Rock County Wisconsin.

According the press release posted on the facility's website:
  • Circumstances: Laptop was stolen from an employee's car
  • Incident date: August 26 or 27, 2013
  • When discovered (by hospital): August 27, 2013
  • How discovered: Presumably when employee notified hospital
  • Patient notification date: September 30, 2013
  • Public notice date: October 1, 2013
  • Number of patients' impacted: 629
  • When/where patients' received treatment: Patients who were treated in the emergency department of St. Mary's Janesville Hospital between January 1, 2013 and August 26, 2013
  • Stolen information included: May have included patient name, date of birth, medical record and account numbers, provider and department of service, bed and room number, date and time of service, visit history, complaint, diagnosis, procedures, test results, vaccines, if administered, and medications.  The laptop did not contain any Social Security numbers, addresses, credit card numbers, or financial information of any kind.
St. Mary's advised in its press release that the hospital "inspected all laptops to ensure they all have encryption software" and that the hospital "will actively be monitoring consistency of laptop encryption and conducting monthly audits to ensure compliance with [the hospital's] encryption policies." But, given this public notice and the notification to patients, it appears that the stolen laptop was either not encrypted or that the PHI was stored in the unencrypted portion of the laptop.

St. Mary's has partnered with ID Experts to provide the impacted patients with identity theft monitoring services for one year.

The second data breach incident was announced on October 2, 2013 by UnityPoint Health, a healthcare system providing services throughout Iowa and Illinois. According to the UnityPoint's press release (which appears to have been released to the media, but which could not be located on the system's website at https://unitypoint.org):
  • Circumstances: UnityPoint's electronic medical record (EMR) system was accessed by an unauthorized individual using the login details from authorized individuals
  • Incident date: Records accessed over a period from February 2013 - August 2013
  • When discovered (by hospital): On or around August 8, 2013
  • How discovered: Incident discovered during a "regular audit", when "UnityPoint detected a pattern of unusual access to certain patient data in its hospital EMR system"
  • Patient notification date: Sometime on or before October 2, 2013
  • Public notice date: October 2, 2013
  • Number of patients' impacted: 1,800

  • When/where patients' received treatment: Patients treated at UnityPoint Health system offices/locations anytime prior to when UnityPoint "shut off the unauthorized access by forcing a password reset"
  • Stolen information included: Names, home addresses, dates of birth, medical and health insurance account numbers, and health information related to patient treatment. For less than ten percent of impacted patients, patient Social Security number and/or Driver’s License number may have been viewed. For four impacted patients, the unauthorized user also accessed information about the patients’ financially responsible party.

UnityPoint is offering credit monitoring services to the impacted individuals.