N.C. EMS waited 8 days to tell of laptop theft
By Sam LaGrone
The News & Observer
Copyright 2008 The News and Observer
RALEIGH, N.C. — Wake County officials are investigating whether county emergency medical services supervisors violated their own procedures when they waited eight days to report as stolen a missing laptop with the names and Social Security numbers of more than 4,600 patients, paramedics and firefighters.
According to Wake EMS standard operating procedure, if theft is suspected, "the EMS Chief and the law enforcement agency with jurisdiction should immediately be contacted."
But a timeline of the county's reactions released this week details the eight-day delay. According to the timeline, Wake EMS Chief Skip Kirkwood was notified Jan. 17, the same day the laptop was discovered missing from a battery charger at a paramedic station on WakeMed's Raleigh campus. But hospital police did not take a report until Jan. 25, after Kirkwood met with the county attorney, Scott Warren, and the head of Wake County's Information Technology Department, Lib Wanner.
Kirkwood has said the department spent those eight days doing an exhaustive search, which included help from WakeMed Police in reviewing their security tapes.
Deputy County Manager Joe Durham said whether or not EMS personnel adhered to the procedure will be part of an overall review of how the case of the missing laptop was handled.
"That's something we're going back and looking at," he said. "We have not made a determination on that yet."
The missing laptop contained names, addresses and Social Security numbers for 1,188 patients transported by Wake County paramedics and contract ambulance services -- information that is a prime target for identity thieves.
The laptop also contained the names and Social Security numbers of every person who has worked as an emergency medical responder in Wake County since the electronic patient data system began -- a list totaling more than 3,400 names. The county waited three weeks after the computer went missing to inform patients and EMS workers. Most received notification Friday, county officials said.
EMS workers, from volunteers to full-time staff, are assigned a four-digit number and password used to access the county's online patient system. But unbeknown to most employees and volunteers, every Wake EMS laptop had that code number paired to the worker's name and Social Security number. The Social Security numbers were used to verify a user's identity if he forgot his user name or password. The numbers were taken from an EMS personnel database and loaded onto the laptops.
The practice of using Social Security numbers or a mother's maiden name for password authentication is frowned upon by security experts, since the information is easier to discover than other security questions that don't have answers in the public domain. Also, the sensitive personal data on the laptop was not encrypted, making it easier for identity thieves to steal.
Durham said last week the Social Security numbers were in the process of being scrubbed from the Wake EMS network.
Carrie Bowden, a Durham paramedic who is also a part-time volunteer at the Stony Hill Rural Fire Department in Wake County, was surprised that her Social Security number and name were on the missing laptop. She was informed by county officials last week.
"There's no reason my Social Security number should be on that computer," Bowden said. "It's not even encrypted. Nice."