Town Square

Post a New Topic

Laptop stolen from Packard Hospital

Original post made on Jun 12, 2013

A laptop computer that might have contained limited medical information on pediatric patients has been stolen from a secure area of Lucile Packard Children's Hospital, officials announced today.

Read the full story here Web Link posted Wednesday, June 12, 2013, 12:27 PM

Comments (25)

Posted by J. Cierra
a resident of Midtown
on Jun 12, 2013 at 1:57 pm

Stanford's concern is shallow and meaningless.

If the hospital wanted to be serious about protecting our information, they would have solved this. It was in January that Stanford supplied another laptop with private information, taken from a car.

What company in Silicon Valley is so stupid to allow its employees to store valuable information on laptops? I have worked for none that were so poorly managed.

Posted by Remy
a resident of Another Palo Alto neighborhood
on Jun 12, 2013 at 3:29 pm

This is indeed the second case this year of a laptop stolen from Stanford Hospital ( at least the second one admitted to). Besides being poorly managed, what is wrong with them????

Posted by noname
a resident of Old Palo Alto
on Jun 12, 2013 at 3:48 pm

I agree...This is actually the second time. I complained to them about this. Because i got a letter stating this and my child's information could be leaked. I moved my kids to Palo Alto Medical which I get better service anyways.

Posted by Not an issue
a resident of Community Center
on Jun 12, 2013 at 4:07 pm

JC-really, shallow and meaningless? [Portion removed by Palo Alto Online staff.] They would have solved this? You think all crimes are easy to solve? Non so poorly managed? How About a prototype IPhone left at a bar. You have no idea how security differs for an institution with thousands of visitors vs a private company with no outsiders.

[Portion removed by Palo Alto Online staff.]

Noname- your loss:
Web Link

Posted by Not an issue
a resident of Community Center
on Jun 12, 2013 at 6:14 pm

[Post removed by Palo Alto Online staff.]

Posted by First Responder
a resident of another community
on Jun 12, 2013 at 10:05 pm

Used to live in PA and worked in the area. I think it is appropriate for Stanford to announce this information, as it is policy in most institutions. As a Paramedic I work on a laptop, I input reports that contain address, name, social security, medical history, assessment, treatment, insurance information (as well as other pertinent information).

All of our computers work off a cloud cad system, without wireless connection through the modem in one of our fleet vehicles, you cannot access the accounts. On top of that, you can only access your account and cases that are less then one week old. We have three passwords you have to get through, and then a password system to enter the cloud cad.

My point, is that these computers are not merely turn on and go to my documents and click on a word file. These computers by law in many instances, as well as by fear of legal action, are put together with the best security the private sector has to offer.

Working on a mobile device is normal in 2013, and those in the bay area/silicon valley should not shun the mobile device. The bigger issue is why this keeps happening, and that is going to take old fashion detective work and a human presence.

While anything is possible, let it be known that the chances of any information being taken off that computer and abused is probably slim to none.

If Stanford is not using a cloud based cad, with built in security, that is an issue in itself.

Posted by Wayne Martin
a resident of Fairmeadow
on Jun 13, 2013 at 6:38 am

The information offered by "First Responder" is interesting, but fails to recognize that data is data--and can be stored on any computer and in any format. With Stanford's being a teaching hospital, there is every reason to believe that doctors/researchers/medical students would be using historical, and current, medical records for "research".

"Security" is a poorly understood area of computing. Keeping a patient contact information in an encrypted format would be a start, but this procedure creates real problems for people wanting to use the data. Keeping encrypted data on "the cloud" is another step forward, but this requires having an active Internet connection to be able to use the data. For people who want to go fishing, and do work in the evening, not having access to their data might be the problem.

Another approach would be to strip out all of the contact information for data given to researchers. Having a "patient ID" would be sufficient for those cases where a Researcher/Doctor might need to contact a patient for further consultation.

There isn't anything suggested here that is difficult to do. It's clear that Stanford, and those who work with patient data, don't seem particularly interested in fully protecting the data that has been entrusted to them.

Posted by James Smith
a resident of Midtown
on Jun 13, 2013 at 8:23 am

As an employee at Stanford, I can tell you that the university took the first incident very seriously: they mandated encryption and backup software for all hospital owned computers and all personal computers connecting to the network or that may contain sensitive data.

They also mandated encryption software for all personal devices including iphones and laptops that even access hospital email. They were also kind enough to offer nearly free macbook pro and air's to all employees working with sensitive data whose computer was not up to encryption standards.

This incident must have occurred on a computer that was slated for destruction. While Stanford is behind the times with regard to a lot of technology, this is not one of those cases.

Posted by Wayne Martin
a resident of Fairmeadow
on Jun 13, 2013 at 8:36 am

> While Stanford is behind the times with regard to a lot of
> technology, this is not one of those cases

And yet, the incidents keep happening.

Posted by Anon
a resident of Midtown
on Jun 13, 2013 at 10:34 am

My child's highly private medical information was compromised in the left of the first laptop. I can't believe this has happened AGAIN. They are not taking enough precautionary steps to ensure that patient privacy is being protected. This is outrageous! The letter we received by Stanford when my child's medical information was released out into the public wasn't even sincere. I feel like they don't really care at all.

Posted by city arrogance
a resident of Midtown
on Jun 13, 2013 at 10:45 am

Anon--you should become familiar with the incidents before you start.
The initial theft was of a laptop that was taken home by a doctor. This doctor told the university there was no patient data on the laptop but there was!!! He was subsequently dealt with.
The second theft happened on hospital property (and Wayne if you have a solution to stop thefts, please let us know).
The university has taken numerous steps to deal with this matter as James Smith outlined above
Please post the letter you got from Stanford, anon, since I find it hard to believe stanford was not "sincere" and "did not seem to care".

Posted by Not the second time either
a resident of another community
on Jun 13, 2013 at 10:45 am

This is not only the second laptop stolen this year, this is one of many security breaches.

My child who had surgery in 2007 had his information compromised. We received a letter informing us that Stanford had subcontracted data management to a company who in turn subcontracted to another company, and then that third company had someone (we were never informed who) place all the patient information on a public website. Sounds crazy to me now as it did then. We received a letter from Stanford Hospital indicating that they would pay for an identity theft alert service for our son and were doing everything they could to prevent such loss of information in the future.

Since their inability to properly manage data has been on their radar for at least 6 years now, it sounds to me like they really are either 1. not taking this seriously enough, or 2. do not know how to tackle this problem appropriately and desperately need outside help.

Posted by J. Cierra
a resident of Midtown
on Jun 13, 2013 at 10:57 am

These two laptops were not the only recent lapses in security. Don't forget that not so long ago, Stanford's casual treatment of data allowed a website to publish names, diagnosis codes, and dates for patients in their emergency room.

There are many ways to solve problems — and posters here have named a few — but encryption and passwords only mask the underlying problem. A serious solution would keep personally-identifiable information hidden securely from everyone except those treating a patient. Procedures like those are work, constant vigilance, a different way of thinking, possible inconvenience.

Stanford's decisions so far have placed their own convenience over protecting patients. Giving access to patient personal information for someone on a fishing trip is a misplaced balance that can be justified only when an organization has abandoned protection.

Posted by Shame on you Stanford.
a resident of Southgate
on Jun 13, 2013 at 12:43 pm

There have actually been five our six serious breaches in the last six years. Each time Stanford says that they are taking it serious, but then they don't put the resources behind it. They missed there own encryption deadlines last fall, Why? Employees were on wait lists to get laptops encrypted. Why didn't they have enough manpower to encrypt the THOUSANDS of laptops that they provide. THey need to stop blaming it on the employees, and put blame where it belongs: who is heading up IT and security? THe President? The Provost? Heads should be rolling at at the very highest levels. WHy isn't the university providing the funds necessary to ensure that every computer is checked for encryption?

Posted by J. Cierra
a resident of Midtown
on Jun 13, 2013 at 2:17 pm

The Stanford Hospital administration org chart lists:

Amir Dan Rubin President and Chief Executive Officer
Diane Meyer Chief Compliance and Privacy Officer

It appears the primary duty of Diane Meyer is to “sincerely apologize for the concern this has caused our patients."

Posted by businessdecision
a resident of another community
on Jun 14, 2013 at 7:00 am

Here is my comment - which I am sure you will all ignore.

Human nature being what it is, we really can't have portable electronic devices with information needing privacy on them. Period.

Stanford has done everything humanly possible, or if not that, close to that, to address this issue, to handle it as it needs to be handled.

But the result is a world full of paranoia and fear - and resentment that computers have to be encrypted (because that "wrecks" them for other purposes).

With a world like this, you will get individuals who will sabotage. Period.

Do not blame Stanford - blame yourselves for buying into the whole thing of portable electronic devices and electronic med records. You'll see what the real consequence is when young people avoid going into medicine as a result.

Posted by R. Berry
a resident of College Terrace
on Jun 14, 2013 at 9:24 am

This is one of numerous data breaches at Stanford and Lucile Packard within the past three years. The press releases and letters are the same they apologize and promise to fix it yet it keeps happening. It's not the staff it is the Compliance and Privacy Department. What have they done in the past few years to reduce these instances? Clearly nothing since this is the probably the 8th incident. We all know that in our workplaces the department head would be fired. In the world we live in we know things are going to get stolen that's why every piece of technology should be encrypted. I bet if they did a review at Stanford they would still find a lot of computers lacking encryption. The physicians and researchers are allowed to bring their own devices and hook them up to the system. There aren't any controls over where data is stored and how.

Posted by businessdecision
a resident of another community
on Jun 14, 2013 at 10:02 am

You're being very unfair. No physician or researcher can hook up computers to "the system" that way.

Posted by businessdecision
a resident of another community
on Jun 14, 2013 at 10:06 am

Shame on Stanford, you're also being very unfair.

By the way, how much do you guys think it costs to have hordes of IT professionals encrypting and deencrypting to reencrypt with a better system thousands of computers?

You weren't paying enough for medical care already?

Posted by Knowledgeable
a resident of Barron Park
on Jun 14, 2013 at 10:16 am

businessdecision, your remark will not go ignored, but it stands incorrect.

Stanford sits in the middle of a community that is a world technological capitol, with too many professionals who know that Stanford has not done "everything humanly possible". By the results, we know that they have done very little.

Even within the lax security of healthcare IT, Stanford is notorious for HIPAA breaches. Compared to practices in place in high-tech firms, Stanford's security is an embarrassment. I agree with other posters: the person in charge of Privacy would have lost their job at any nearby firm.

When technology firms want to protect data now, they do it now. I have seen enormous companies encrypt thousands of laptops in a day. Not encrypted? You cannot connect.

Encryption is only a first and very small step.

If you want to protect data, it never sits on another machine, it can only be viewed there. In order to connect a machine to the network, it must have special intrusive software installed that not only gives permission to connect but can allow administrators to detect violations of security.

A competent Privacy Officer would know and implement these steps and the dozens that follow.

Physicians and researchers cannot hook up computers? Silicon Valley firms hire thousands of non-engineering employees who have been very successful at connecting to systems just like these in order to get their work done: sales, financial, legal, HR, administrative assistants. If Stanford's current physicians and researchers think it unfair to protect patient data, Stanford needs new employees.

Everything humanly possible? No, they have not even begun.

Posted by businessdecision
a resident of another community
on Jun 14, 2013 at 11:27 am

well, unbelievable. Could it possibly be true? If so, why would Stanford...?

Posted by t-geek
a resident of Downtown North
on Jun 14, 2013 at 2:53 pm

@Knowledgeable: ur dead on. not enuf priority or budget for IT? / security? Would hate to be either of those guys, or the PR guy. "As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data to reduce the chance that an incident of this type will happen again." policies and controls? how abou tencrypt, wipe clean..

Posted by Richard
a resident of Meadow Park
on Jun 15, 2013 at 11:57 am

Please note that Stanford University, Stanford University Medical Center and Lucile Packard Children's Hospital at Stanford are SEPARATE organizations, although related. They have their own boards, their own management, their own HR departments, their own benefits departments and, most importantly their own separate IT departments. This is about LPCH and it should not be confused with other organization.

Posted by Theresa
a resident of College Terrace
on Jun 15, 2013 at 3:56 pm

That's not right, Richard. Check for yourself. The main hospital and the children's hospital have the same Privacy officer, the woman who is supposed to have solved these problems sometime in the previous six leaks of private information.

Posted by J. Cierra
a resident of Midtown
on Jun 15, 2013 at 7:19 pm

Six privacy breaches may be an exaggeration. Stanford has reported only five. But then, they did get fined because they failed to report a breach, so who knows.

Don't miss out on the discussion!
Sign up to be notified of new comments on this topic.


Post a comment

Sorry, but further commenting on this topic has been closed.

Stay informed.

Get the day's top headlines from Palo Alto Online sent to your inbox in the Express newsletter.

Analysis/paralysis: The infamous ‘Palo Alto Process’ must go
By Diana Diamond | 6 comments | 2,096 views

Common Ground
By Sherry Listgarten | 3 comments | 1,624 views

The Time and Cost Savings of Avoiding a Long Commute
By Steve Levy | 5 comments | 1,517 views

Planting a Fall Garden?
By Laura Stec | 5 comments | 936 views


Sign-up now for 5K Run/Walk, 10k Run, Half Marathon

The 39th annual Moonlight Run and Walk is Friday evening, September 29. Join us under the light of the full Harvest Moon on a 5K walk, 5K run, 10K run or half marathon. Complete your race in person or virtually. Proceeds from the race go to the Palo Alto Weekly Holiday Fund, benefiting local nonprofits that serve families and children in Santa Clara and San Mateo Counties.