The password-protected but unencrypted laptop from the department of surgery was "apparently" stolen from a physician's car on Aug. 16 and immediately reported to police, according to the hospital. Patient notification began on Sept. 2. Protected health information on the laptop included name, age, sex, diagnosis and medical record number, in addition to Social Security numbers for 178 patients.
The university has provided those with compromised SSNs detailed information on requesting a security freeze or a fraud alert on their credit reports. Under Indiana law, the freezes and alerts are free to individuals, paid by the state. The university believes these services are more effective than credit monitoring services, and will pay for additional remediation services if any affected patients report incidents of identity theft, a spokesperson says.
On a frequently asked questions page, the university says, "Surgery faculty, staff and residents are being stringently reminded to store all institutional data on a secure network drive or encrypted drive meeting IU and IU Health partners' specifications. Further steps have been, and continue to be, taken system-wide to help administrators, faculty and staff minimize the use and retention of and access to SSNs and other sensitive data. These steps include an educational campaign with personnel throughout the University to discuss appropriate ways to identify and secure sensitive data, as well as providing tools to help locate and secure such data in files and systems."