Sentara Norfolk General Data Breach (2012)

The letter arrived during the Christmas holidays. It looked like junk mail, so Patricia put off opening it. When she finally read it, the first paragraphs alarmed her: "Regrettably, we are writing to inform you about an incident involving your health information." In November, an "electronic device" had been stolen out of the locked car of an employee of a company contracting with her hospital, Sentara Norfolk General. It "may have contained clinical and demographic information" about her, including name, birth date, patient number and medical record number. Patricia's medical records were not on the device, however. Neither was her Social Security number or information about her bank account or insurance. The company, Omnicell Inc., "has no reason to believe that the device was taken for the information it contained, or that the information has been accessed or used improperly." Patricia felt better, but small doubts persisted. "Should I believe them?" she wondered, "I don't know." The 38-year-old Norfolk woman was among 56,000 Sentara Healthcare patients to receive that letter and among millions nationwide made vulnerable each year by lapses in security protecting their personal health information. Such large-scale breaches are rare: 152 incidents were reported in 2011 among more than 700,000 organizations, according to the Health Information Trust Alliance. Smaller lapses are more common, averaging in the tens of thousands a year. Breaches range from improperly discarded paper records to unauthorized access to a health provider's email account. A dishonest employee may pass along patient information for fraudulent use, or an unencrypted flash drive may go missing. Some lapses likely are never discovered. A single one can jeopardize millions of records.