Health privacy undermined: Worst breaches of 2009

Octo-mom, ransom notes and stolen Blackberries entangled in these tales of health information breaches and lost medical records

Hospitals, pharmacies and health insurance companies are among the hardest hit when it comes to hacker attacks, stolen laptops, spying employees and other information security mishaps. Healthcare organizations are losing more than just names and Social Security numbers. When their data gets stolen, patients lose the privacy of their medical conditions and treatments while at the same time falling prey to identity theft, medical billing fraud and other criminal schemes. Here's a look at the worst healthcare data breaches of 2009 as recorded by The Privacy Rights Clearinghouse and some of the scary stories behind them.

Also see:

Is your health privacy at risk?
Hospital taps Verizon for security review

Virginia\'s prescription drug database

More than 8 million personal pharmaceutical records were stolen from the state of Virginia's prescription drug database and held hostage by hackers, who demanded a $10 million ransom. The agency says as many as 531,400 patients had Social Security numbers listed in its Prescription Monitoring Program database , which includes prescriptions for painkillers that are often abused.

Salisbury, Md. medical practice

Three back-up tapes containing information about 100,000 patients were stolen from this Salisbury, Md. medical practice while en route to an off-site storage facility. The stolen data includes Social Security numbers, employer names and health insurance numbers, leaving the victims at risk for medical identity theft. Patients were warned of the incident via letter on April 6, 2009.

Moores Cancer Center

Moores Cancer Center at the University of California, San Diego, warned patients that a hacker had breached its computers and gained access to patients' personal information. The stolen data includes patient names, birth dates, diagnosis and treatment dates, but not Social Security numbers. The hospital said the incident occurred in late June.

Moses Cone Memorial Hospital

A stolen laptop is the reason this Greensboro, N.C. hospital lost data — including Social Security numbers — for 14,380 patients. The hospital is offering one year of identity theft insurance for the patients, who were treated by the cardiology and orthopedic departments. The laptop was stolen from the Canton, Ga., facility of VHA, one of the hospital's vendors. The hospital waited a month before announcing the incident.

Johns Hopkins Hospital

This Baltimore medical establishment warned 10,200 patients in April that their data was put at risk by a former employee, who worked in patient registration and has been linked to a scheme to create phony Virginia drivers' licenses. The employee had access to patient names, addresses, dates of birth, telephone numbers, Social Security numbers, parents' names and medical insurance information. Law enforcement officials have identified 30-plus victims.


Walgreens failed to encrypt an e-mail attachment containing the names, dates of birth, Social Security numbers and health insurance claim numbers for 28,000 Kentucky retirees that use the state's pharmacy benefits. The e-mail covered Medicare-eligible users of the state's retiree pharmacy benefit in 2007. Walgreens officials said the risk for identity theft was minimal.

Marian Medical Center

A BlackBerry containing information about 3,200 emergency room and urgent care patients at this Santa Maria, Calif., medical center was stolen. The BlackBerry contained an e-mail message attachment that included patients' Social Security numbers, dates of birth and medical histories. The hospital is paying for a credit monitoring service for the patients whose data was put at risk.

Northeast Orthopaedics

An Indian outsourcing firm posted on its Web site the records of more than 1,000 patient visits to Northeast Orthopaedics, an Albany, N.Y., surgical practice. The records included patient names, birth dates, Social Security numbers and a description of medical conditions. The records were posted online by the Indian firm, which was hired by a North Carolina medical transcription service MRecord used by the practice.

Kanawha-Charleston Health Department

All patients who received flu shots last fall from this Charleston, W.V., agency were warned in January that they were at risk for identity theft. A clinic employee was charged with stealing personal information about patients including their names, birth dates, Social Security numbers and addresses. The employee, a temporary billing clerk, allegedly used the information to obtain credit cards in the patients' names and make fraudulent purchases.

Kaiser Permanente Bellflower Medical Center

Curiosity is the cause of the data breach at this California hospital, where Nadya Suleman delivered octuplets. The hospital found that 23 unauthorized employees had examined Octo-Mom's medical records. The hospital was fined $250,000 for this incident , and another $187,500 for a second incident involving four other patients.

Have your medical records been breached? Tell us your tale of woe and whether you ended up a victim of identity theft or medical billing fraud.