By Senator Roy Dyson
Like me, many of you may have received an alarming letter in the mail from either St. Marys Hospital or Johns Hopkins University Hospital informing us that a laptop computer had been taken.
According to St. Marys Hospitals letter to me, the laptop contained information including names, social security numbers and birthdates of thousands of former patients dating back to the 1980s.
St. Marys has notified law enforcement agencies about this potential breach of patients individual information. St. Marys Hospital has brought in National ID Recovery, LLC which specializes in managing systems in which data may have been compromised. They will work with you to monitor your information for potential identity theft. Call 1-800-836-5679 to speak to a paralegal if you wish to enroll in this free program.
St. Marys Hospital was right to let people who have received care there that this situation had occurred. I also appreciated St. Marys Hospital President and CEO Christine Wray calling my office to answer any questions I may have had about this breach of security in my official position as State Senator. Obviously, a lot of people were upset that their personal information may have been compromised and they may become victims of identity theft. It would have been easy for St. Marys Hospital and Johns Hopkins to cover-up this incident. Because, by law, they could have done just that.
There is no statute that required either hospital to reveal this information. For this reason, I have introduced legislation that would strengthen our identity theft laws in Maryland. This legislation would mandate that a business which St. Marys Hospital is protects an individuals personal information.
When a business is destroying a customers records containing the customers personal information, the business must take all reasonable steps to destroy or arrange for the destruction of the records in a manner that makes the information unreadable or undecipherable through any mean.
A business that compiles, maintains or makes available personal information of a Maryland resident must implement and maintain reasonable and appropriate security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification or disclosure.
A business that compiles, maintains or makes available records that include a Maryland residents personal information must notify the individual of a breath of the security of a system, if, as a result of the breach, the individuals personal information has either been acquired by an unauthorized person or is reasonably believed to have been acquired by an unauthorized person.
Notification of a breach under this legislation may be given by written, electronic or by telephonic communication.
This notification must include description of the categories of information, including which elements of personal information, that were, or are reasonably believed to have been acquired; contact information for the business making the notification, specified contact information for the major consumer reporting agencies and specified contact and other information relation to the Federal Trade Commission and the Office of the Attorney General.
I introduced one of the first identity theft bills several years ago, but this is an ongoing problem that is difficult to keep a handle on because those who commit these crimes are always coming up with new and diabolical ways to steal peoples identities. I believe this bill is an extremely strong deterrent to this problem.
Sensitive Data Stolen From St. Mary's Hospital, February 08, 2007