A laptop computer with health and personal information on 21,000 patients was stolen from an office at Thomas Jefferson University Hospital in Philadelphia in June.
The patients whose unencrypted records were on the password-protected laptop were notified last Friday of the theft in a letter from hospital president Thomas J. Lewis, who offered identity-theft monitoring and protection.
Lewis said the hospital would do all it could to protect the patients whose information, including Social Security numbers, had been exposed and take steps to prevent similar incidents in the future.
The breach at Jefferson is part of a national problem, experts say.
A federal database has documented 121 such lapses nationwide since September 2009, showing that medical or financial information had been exposed for more than five million people.
"There is almost no excuse for unencrypted data to be sitting on any computer at a hospital or any organization," said Scot Silverstein, a Drexel University expert on health-information technology.
Such problems heighten the concern many people have about the move toward electronic health records.
Perhaps as a result, the U.S. Department of Health and Human Services has increased penalties for violations of patient privacy, including fines for up to $50,000 per violation and up to $1.5 million a year.
Still, such breaches occur every week.
A similar loss of private patient information occurred in December at Children's Hospital of Philadelphia when an employee's laptop with data including Social Security numbers on 943 patients was stolen from a car.
On Tuesday, Cooper University Hospital in Camden reported that a flash drive with Social Security numbers, addresses, and phone numbers of medical residents and fellows was missing.
"The hospital is conducting a thorough investigation and has initiated an aggressive plan to protect any personnel who could be affected by this potential security breach," Cooper said in a statement.
Meanwhile, a nurse accessed records of 600 patients at Tomah Memorial Hospital in Wisconsin to get narcotics data for personal use, and 1.2 million patient records were stolen on a laptop owned by a Florida health insurer, AvMed Inc.
"We are seeing this all the time," said Paul Stephens, director of policy and advocacy at the California-based Privacy Rights Clearinghouse.
The Jefferson loss, which has not yet appeared in the federal database, would tie for the 17th-largest with a dentist's office in Texas where a portable electronic device was stolen in February.
The Jefferson records were for every patient admitted to the hospital from March 9 to June 9 and Aug. 1 to Nov. 1, 2008.
Employees gathered the data to assess an effort to reduce the number of dangerous blood clots that develop in some patients - so-called deep vein thrombosis.
One employee copied the data onto a personal laptop. That violated hospital policy and raised concerns about what system flaws allowed the data to be copied.
Lewis, the hospital's president, said the hospital's internal investigation took time to correctly identify the patients and find the right firm to protect their identity.
He said that was why patients were not notified of the June 14 theft until Tuesday.
Lewis wrote a two-page apology.
Jefferson also hired Kroll Inc. to provide identity-theft monitoring, protection, and remediation.
Lewis urged all the patients who get the letters to activate their Kroll account at Jefferson's expense.
"As upsetting as it is for me, I know it is even more upsetting for the people who have gone through it, and I am really sorry that they have to deal with this," Lewis said.
Jefferson has not been notified that any of the personal information has been accessed or used inappropriately. But Lewis emphasized that it was critical for the patients to activate the protection as soon as possible.
Such incidents can be extremely disturbing.
"Who wants to see your boss walk around with your list of antidepressant medications or your history of STDs?" asked Ross Koppel, a sociologist at the University of Pennsylvania whose research focuses on health-information technology.
On the other hand, Koppel said, "by having the data in digital form, it can improve the quality of care and speed of research to find cures."
And he said that so much data are already public in digital form that "on balance the benefit of having the electronic medical records" outweighs the privacy issues.