A non-encrypted Penn Medicine laptop with personal information of about 1,000 patients was stolen on Nov. 30, reported Philly.com.
The laptop was stolen from a car in the King of Prussia Mall parking lot over a month ago, and Penn Medicine has been working with Upper Merion Township police and an internet service provider to locate the missing computer.
Penn Medicine sent a letter to patients whose personal information was stored in a file on the unencrypted laptop, notifying them that the device was stolen, a Penn Medicine spokesperson wrote in an emailed statement.
The information stored on the laptop included patient names, dates of birth, medical records and patient account numbers, and some demographic and medical information, but did not include social security numbers, credit card, bank account information, or contact information, according to the statement.
"In addition to working with the police, we have worked with the computer manufacturer as well as relevant internet service providers to determine if there is any evidence that the laptop has been turned on and/or accessed. To date, there is no indication that either has occurred, and the laptop is protected by a strong password," the statement read.
The Penn Medicine Academic Services User Responsibilities requires that all laptops with "Sensitive or Confidential data" be encrypted.
Penn's Computer Security Policy further defines "Sensitive Personally Identifieable Information" to include protected health information such as demographic data, a patient's mental health or physical condition, a patient's provision of health care, and a patient's payment for provision of health care paired with an identifier such as a name, address, phone number, or account number.
The information on the stolen laptop falls under this category of "Sensitive or Confidential data" — the unencrypted laptop thereby is a violation of the University's Computer Security Policy.
Consequences of this violation outlined in the Computer Security Policy could cause Penn, its schools, and its centers "regulatory fines, lawsuits, reputational damage, and the loss of trust by critical members of our community." Risks for the patients whose information was on the laptop include "identity theft, embarrassment, harassment, and other problems."
The policy, which became effective Feb. 9, 2016, cites any breach of Penn Security Policy as a threat to the integrity of the research and teaching contained on Penn's computing infrastructure.
A representative from Upper Merion Township Police Department Records said they have not made the details of the case publicly available.
All comments eligible for publication in Daily Pennsylvanian, Inc. publications.