box10.gif (1299 bytes)







IT Security

SickKids notifies study participants of stolen laptop

TORONTO – The Hospital for Sick Children (SickKids) has notified patients who participated in 10 different research studies about a stolen laptop that contained their personal health information. The laptop was stolen on January 4, 2007 from the car of a physician who was doing data analysis.

SickKids reported the incident to Ontario’s Information and Privacy Commissioner (IPC) and is working in full cooperation with the IPC in an independent review of this incident.

According to a report in the Canadian Press, a doctor with the hospital, who is also a researcher there, took a laptop from work, intending to analyze some data at home. The laptop was stolen when the doctor’s minivan was burglarized in a Toronto parking lot.

While the laptop contained information about 2,900 patients, the computer was password protected and it is not likely that the data could be easily understood by someone who lacks clinical training, the hospital said. Patient care is not affected by this incident, since the stolen laptop contained research data and not patient charts.

The studies involved patients in the rheumatology, endocrinology, infectious diseases and cardiac program. Many of the patients in the cardiac studies were treated in the cardiac program at SickKids as children. Notification letters were sent to study participants who are active patients. In certain circumstances, patients were notified in person at clinic appointments.

SickKids said it is committed to the protection of patient privacy. It is working with the IPC on a review of applicable policies and practices to ensure appropriate privacy and security safeguards are in place and that they are clearly and consistently communicated to hospital staff.

On a related note, Ontario’s privacy commissioner, Ann Cavoukian (pictured above), warned that hospitals and businesses need to do a better job of ensuring personal information doesn’t fall into the wrong hands – especially with the growing use of mobile information devices like laptops, BlackBerrys and other PDAs.

SickKids is developing a policy to ensure personal health information that’s stored in a location other than on its secure servers – a laptop, for instance – is either encrypted or carries no personal identifiers.

Cavoukian said she’s urging all hospitals, businesses and government departments to adopt similar restrictions, and applauded hospital officials for taking action.