The University of Rochester Medical Center is notifying over 800 patients about a possible privacy breach after one of its surgeons lost a computer flash drive containing private information. Now the hospital plans to improve its security practices.

The University of Rochester Medical Center disclosed that patient names, dates of birth, diagnoses and other private clinical information were stored on the surgeon's computer flash drive.

"We’re conservatively estimating that it's 837 but that very conservative upper limits estimate,” Jerry Powell, URMC’s Chief Information Officer said.

As a precaution URMC sent letters to all the patients the surgeon saw in the last three years because the flash drive was not encrypted.

"Encrypted in the sense that the contents are scrambled, that they wouldn’t be easily readable by someone without a key to open that encryption,” Ben Woelk, RIT Policy and Awareness Analyst said.

Ben Woelk develops policies and awareness protection for RIT. He believes security standards have increased over the past five years but says adapting to the changes are much harder for the public and private sector.

"Unfortunately, I don't think that they can keep up with the changing technology,” Woelk said.

But it's not just flash drives that people should worry about. With the advancement
of portable devices, like PDAS, The need for security is much greater.

"With the Smartphone’s, iPad, Androids, it's much more complicated, because, depending on the device, there may or may not be an encryption capability,” Woelk said.

URMC Chief Information Officer Jerry Powell says the hospital's 15,000 computers and 90 % of faculty and staff members' portable devices are encrypted. The new URMC policy addresses the remaining 10%.

"The new technologies do give physicians better access to their patients. But we also want to be sure that that access protects patient information,” Powell said. "Because of this breach we are going to enforce all- encryption for flash drives,” he added.

Woelk says all the safety measures could be in place for the technology but ultimately it's the responsibility of the person.

URMC tells us it does not plan to discipline the surgeon for misplacing the flash drive because it was a first instance. A second instance would be subject to disciplinary action according to Jerry Powell.

And we checked in with other local hospitals about the practice of encrypting files.
Unity Hospital responded that it provides clinical staff with fully encrypted thumb drives to protect patient information. Rochester General Hospital was not able to comment on its security practices.