Theft exposes patient data across five US states

The theft of a computer from the office of an Ohio-based health care contractor on Nov. 23 has exposed sensitive data belonging to tens of thousands of patients in five health care firms across five states.

The compromised data includes the names, addresses, medical record numbers, diagnoses, treatment information and Social Security numbers of the patients. Among those affected are patients at Atlanta-based Emory Healthcare, Danville, Pa.-based Geisinger Health System and Franklin, Tenn.-based Williamson Medical Center. The names of two other health care providers affected by the burglary at Cincinnati-based Electronic Registry Systems Inc. (ERS) have not yet been released.

In an e-mailed statement, ERS said that the burglary appeared to have been part of a larger break-in that included several other offices in the same building.

"Law enforcement officials have no evidence that the theft was motivated by the intent to steal data," said ERS, which has 15 employees. The company added that it has implemented "multiple layers of security" to protect the data on the stolen computer but offered no details on what those measures include. ERS currently helps more than 300 regional hospitals, cancer centers and university hospitals manage their health care information.

A Geisinger spokesman Thursday confirmed the compromise and said that the stolen computer held data on approximately 25,000 of its patients. ERS manages a patient registry database for Geisinger and had implemented "multiple protections" on the computer such as double password and log-in protection to secure the information, Geisinger said in a statement.

"We believe that it is unlikely that the information can be retrieved from the stolen equipment," Geisinger Chief Medical Officer Bruce Hamory said in the statement.