Department of Medicine IT

Lost and/or Stolen Devices

Last updated: September 29, 2023

Lost or stolen computing devices pose a potential, significant risk to the confidentiality and integrity of institutional data stored on them. In such scenarios, the loss or theft must be reported properly to assess any potential impact that the incident may cause. Regardless of the types of data stored on the device, security measures taken on the device to protect the data, or the circumstances of the loss, all incidents must be reported so that an investigation can be performed to satisfy regulatory and/or contractual obligations.

Devices that are lost but subsequently found/returned areĀ not exempt from these requirements. These incidents must be investigated to be reasonably certain that these devices have not been tampered with.

Applicable devices

The loss or theft of any device containing UW-owned data must be reported. This includes devices owned by the UW, affiliated entities, and individuals. The scope of devices includes anything that stores data, including computers (desktops and laptops), smartphones, tablets, and storage devices (including portable hard drives, flash drives, etc.). Common data stored on personally-owned devices include synchronized UW email (in Outlook, Mail, and other applications), synchronized OneDrive for Business data, and documents opened locally from webmail sources.

Reporting Process – Mandatory

File a police report

Theft/loss events must be reported to the proper authorities. For the UW campus and surrounding areas, the report must be filed with UWPD. Their reporting website is https://police.uw.edu/online-reporting/. For theft incidents in other locations, the report must be filed with the law enforcement agency with jurisdiction in that area (local police department/sheriff’s office).

Notify your management

Your management should remain in the loop during this process. They should begin the process of replacing the device (or assigning a replacement) for UW-owned devices.

Notify DOM IT

ishelp@medicine.washington.edu

The incident should be reported to DOM IT (assuming it was configured/supported by DOM IT). The DOM IT team will determine the last known security configuration of the device (particularly to ensure its storage was encrypted) and provide that information to you. They can also arrange for a loaner device to be issued until your device can be replaced.

File an incident report with the UW Privacy Office

https://privacy.uw.edu/take-action/report/

The incident must then be reported to the UW Privacy Office via their online incident report form. The form will ask detailed questions about what type of data was stored on the device, what the security configuration was on the device, and for police report information. They will then review the request and engage any relevant UW entities depending on the type of data potentially in breach (such as UW Medicine Compliance).