A desktop computer containing the personal information of 5,783 patients was stolen from Johns Hopkins Hospital in mid-July, and the hospital waited more than five weeks to inform the patients or their families of the theft.
The computer, taken from an "administrative work area" in a building on Johns Hopkins' main campus the night of July 15, contained patients' names, Social Security numbers, birth dates, medical histories and other personal information, according to Hopkins officials. Another computer and a projector were also stolen.
Such potential breaches of personal privacy are becoming more common, in Maryland and across the U.S. In February, Hopkins reported it couldn't locate computer tapes containing personal information on 135,000 employees and patients.
In May 2006, a laptop containing the Social Security numbers of more than 26 million veterans and their spouses was stolen from the Montgomery County home of a Department of Veterans Affairs employee, and later recovered. Last May, St. Mary's Hospital in Leonardtown announced that a laptop containing data on 130,000 former and current patients had been stolen. And last weekend, a Maryland Department of the Environment laptop containing personal records of 10,000 people was taken from an employee's car.
In the latest incident, recordings from video surveillance cameras led authorities to issue criminal summonses for a Hopkins employee and an employee of an on-site vendor, Hopkins spokesman Gary Stephenson said yesterday when contacted by The Sun. He didn't identify the two workers.
Officials said the computer, which was attached to a desk with a steel cable, was password-protected, but the data it contained were not encrypted or password-protected.
Computer not found
Hopkins officials apologized to patients for "any inconvenience or worry caused by the theft." Stephenson said it was "highly likely" the computer was sold for the value of its hardware. It has not been located.
"We have no reason to believe any of the data has been misused," said Stephenson.
The hospital filed a report with police two weeks after the theft but waited until Aug. 24 to begin sending letters to patients to inform them that their personal information was missing.
Stephenson said Hopkins did not make a public announcement and delayed contacting patients in part because public disclosure "might have sabotaged the effort" to recover the computer. He said it also took time to reconstruct the list of patients in the missing database, prepare notification letters and arrange help for anyone affected.
