The flash drive contained information about patients admitted to Our Lady of Peace dating back to 2002. Information was unencrypted, according to the hospital, and included data such as patient names, room number, insurance, admission date and discharge date. However, it did not contain diagnosis or treatment, Social Security numbers, date of birth, telephone numbers or address information, the hospital said.
Information on patients assessed since 2009 but never admitted included only the patient names, date of assessment, and date of birth at the time that the patient left the hospital.
"These circumstances were discovered on April 1, 2010, and reported to our compliance officer and privacy officer in accordance with policies and procedures," Our Lady of Peace said. "Our investigation of the matter involved interviews with team members, a review of security tapes and an analysis of the computer's usage history. The investigation concluded that the flash drive is missing. Attempts to locate and recover it were unsuccessful."
The hospital, a religiously operated 278-bed facility in Kentucky, posted an advertisement in the Courier Journal, Louisville's largest newspaper. It also published a notice on its website, and is privately notifying each individual affected by the incident.
Our Lady of Peace is not offering credit protection coverage for the victims, but has recommended the three major credit reporting bureaus as contacts for those affected.