A hard drive containing the personal information of 2,200 LSU Health New Orleans patients was stolen in March, and while police quickly made an arrest, the hard drive has not been recovered, the LSU Healthcare Network said Friday.
The network said the theft occurred in the Department of Neurology Research on or around March 6. Law enforcement was notified immediately, and a suspect was arrested March 7.
The hard drive contained patient lists for research studies done between 1998 and 2009, including names, dates of birth, and diagnosis and treatment codes. It did not include Social Security numbers, credit card or bank account information or other patient health data, officials said.
The LSU Healthcare Network identified the patients whose information was on the hard drive by reconstructing files from a researcher’s desktop computer, and they are being notified.
Patients of Drs. Olejiniczak, Bagert, Tender, Guiterrez, Fisch and Mader from 1998 to 2009 who have not gotten a notification letter are asked to call (844) 557-2564 or email email@example.com.
The LSU Healthcare Network said it is not aware of any unauthorized access to the data or any other misuse of the data, but patients of those physicians during that period are urged to visit www.identitytheft.gov to take steps to protect themselves against any potential identity theft.
The network said that information technology policies designed to protect health information, including the use of encrypted mobile devices, were not adhered to and that “appropriate remedial action will be taken.”
It also is updating its security policies and will incorporate them into its training programs.
The network apologized for the incident and is offering affected patients a one-year subscription to a credit monitoring service. Patients can call (504) 412-1565 or (844) 557-2564 or email firstname.lastname@example.org for information.
In 2009, a janitor at Ochsner Medical Center stole printouts of patient information that included Social Security numbers and used them to open retail charge accounts. He was convicted in 2012 and sentenced to 27 months in prison.