LSU Health Laptop Theft Exposes PHI of at Least 5,000 Minors

A laptop computer issued to Dr. Christopher Roth by the LSU Health New Orleans School of Medicine has been reported stolen, and along with it, the electronic Protected Health Information (PHI) of approximately 5,000 patients. The majority of patients affected by the breach were minors.

The computer was left in a vehicle that was parked in front of the physician’s home on July 16. The theft was discovered the following morning and was immediately reported to law enforcement officers.

Physician Breached Hospital Data Security Policies


LSU Health New Orleans School of Medicine has data security policies in place which forbid staff from leaving electronic devices unattended. All members of staff were also instructed to take extra care of devices containing PHI. Dr. Roth therefore violated the School of Medicine’s data security policies by leaving the laptop computer in his vehicle, and will be disciplined by LSU Health for the infraction once the investigation is completed.

That investigation has proved complicated, as patient data were stored on the laptop’s hard drive, not on LSU’s servers. The problem faced by LSU Health was how to determine what data were stored on the laptop. Backups could not be used to determine the patients that had been affected, and without physical access to the laptop, the exact data exposed could not be determined.

The process has reportedly taken two months to complete due to the complexity of the task: Virtually the entire 60-day time-frame set by the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue breach notification letters to patients.

Those breach notification letters have now been mailed to patients, the majority of whom reside in Louisiana or Mississippi. The OCR has also been informed of the security breach and will be investigating the security breach, as it does with all data breaches affecting more than 500 individuals.

5,000 or More Patients Affected by the Laptop Computer Theft


Investigators were able to determine that as many as 5,000 patients are likely to have been affected, but since the laptop could not be accessed, it is possible that other patients could also have had their PHI exposed. Consequently, LSU Health is advising all patients who visited Dr. Roth for medical services between July 2009 and July 16, 2015 to call the healthcare provider’s dedicated data breach helpline for further information and to find out if they have been affected.

The breach notification letters explain the nature of the breach and the data that have potentially been exposed. The Protected Health Information potentially stored on the laptop included patient names, dates of birth and health information, such as service dates, lab test results, descriptions of medical conditions, diagnoses and treatment information. Radiological images and ultrasound scans were also stored on the computer, as were medical record numbers. LSU Health investigators were able to confirm that no financial data were stored on the laptop, as this information was not provided to Dr. Roth. Similarly, no Social Security numbers are believed to have been exposed.

When data are stored on servers, a trail is created if information is accessed. In this case, since the data were stored locally, it is not possible to determine whether any of that data has been accessed. LSU Health’s investigation has not uncovered any evidence to suggest the data has been accessed or used inappropriately at this time.

Patients Offered Credit Monitoring Services to Reduce the Risk of Identity Theft Losses


It is not known whether Dr. Roth was a victim of an opportunistic crime or if he was targeted, so the level of risk faced by patients cannot be determined with any degree of accuracy.

To reduce the risk of financial harm being suffered, patients are being advised to sign up for credit monitoring services, the cost of which will be covered by LSU Health. Details of how to do this have been provided in the notification letters.

Policies were put in place by the healthcare provider to keep patient PHI secure, but those policies did not prove to be effective in this case. To reduce the risk of future data breaches occurring, LSU Health is in the process of revising its data security policies. The new measures it plans to implement have not been disclosed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.