Houston, you have a problem, again.  This issue does not involve people halfway to the moon, but something much closer.  This situation involves you and people who have gone to the Harris County Hospital District for medical attention.  This is especially true if you happen to suffer from HIV, AIDS, or any other of a long list of medical conditions.  It seems that an administrator at the hospital downloaded complete and very private records onto two flash drives and then lost them.  No one has any idea where the drives went, but everyone is unanimous in saying how terrible of a situation this has become for the upwards of 1,200 people affected.

Very few details about this incident have been released at this point.  The name of the employee has not been released, although an insider said that she is not available for contact and has left the area pending the investigation.  A spokesman for the hospital said that a letter was being sent out to the affected individuals.  Within the letter was a request that affected people enroll in an ID theft subscription service, like Lifelock, at the hospital’s cost.  These services provide monitoring of the three major credit bureaus.  By keeping tabs on all three bureaus, they are able to contact their customer whenever a new credit card or loan application is filed.  If the customer says that this information is legitimate, then there is nothing done.  However, if the application is fraudulent, Lifelock prevents it from being processed any further and significantly limits the possibility of credit damage and identity theft.

The reason the hospital is recommending that people subscribe to Lifelock and other services is that the information on the flash drive contained, names, addresses, social security numbers, the social security numbers of spouses, and full medical records and treatments.  Even worse is that there was no password protection or encryption on the drive.  This means that whoever finds this drive can plug it into their computer, open the files, and have instant access to all the personal data of the 1,200 people.  This blatant violation of both hospital and government policies is the reason that HIPAA may be getting involved.  Set up by the United States government, HIPAA was established to provide security for patients’ medical records.  The nameless employee in this case could be facing a $25,000 fine for her carelessness.

An equally troubling issue in this whole case is that an insider at the hospital has supplied the media with a private memo that was distributed to the company.  Apparently, three more flash drives are missing and all of them were last seen on the desk of the work guilty of the above noted data breach.  The hospital is asking for the immediate location and return of these drives, specifying that one drive contains information “very important to the district and needs to be found as soon as possible.”  There has been no word yet on whether or not these drives have been located or what information is contained on them.  Either way, hospital administrators have said that they will review and upgrade all security policies to make sure that nothing of this nature happens again in the future.

Medical records keep getting compromised.  It does not seem to matter where people live, although the vast majority of breaches have been taking place in the northwestern part of the United States.  Even in remote Alaska, people are realizing that their identity is not secure.  The most recent incident took place at the Providence Alaska Medical Center where a laptop with information on over 250 patients has gone missing.  At this point, a spokeswoman for the center said that the laptop was not stolen, although it has not been seen since May 31.  She gave no indication of why she believes that the laptop was not stolen despite its long absence without anyone having seen it.

The laptop contained information on 250 oncology patients.  For most of these individuals, only medical data was lost, although this is still a violation of HIPAA laws and the federal government will investigate the incident to determine whether or not the medical center should suffer any penalty in federal funding.  However, despite the limited information on most patients, some files contained social security numbers, addresses, and dates of birth.  This is more than enough information for an identity thief to ruin the life of an individual.  At this point there is no word on how the laptop was secured, although if it had been password protected or encrypted, it is likely that the spokeswoman would have mentioned this so that peoples’ fears would have been lessened.

The patients information contained on the laptop had all visited the medical center between August 2005 and May 2007.  All the other files at the center are secure.  However, there will be a continuing investigation to see if more safety measures need to be added to the electronic network to prevent this type of thing from happening in the future.  At this time, there is no word as to whether or not outside consultants will be brought in to address this matter.

Letters have been sent out to the 250 affected people.  Within the letter the medical center said that it will provide a year’s worth of free credit monitoring.  One way that monitoring gets done is to enroll people into ID theft subscription services, such as Lifelock.  This company maintains connections with Trans Union, Equifax, and Experian to deal with credit card and loan applications that get filed.  Whenever this paperwork appears, Lifelock stops the process momentarily to contact its customer.  If the customer verifies that the paperwork is legitimate, it is allowed to go through, otherwise it is stopped from going through.  Since this is one of the most common ways that ID thieves use fraudulently gained information, Lifelock helps prevent ID theft before it starts.