6,600 Patients Discover PHI Has Been Exposed

Share this article on:

NYU Langone Health System has discovered a binder containing a log of presurgical insurance authorizations was accidentally recycled by a cleaning company in October. The binder contained records relating to around 2,000 patients.

Information in the binder included names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID numbers. In some cases, brief notes may have been present, along with insurance approvals/denials and inpatient/outpatient status. No Social Security numbers were recorded in the paperwork, and neither any financial information.

As required by HIPAA, NYU Langone Health System had implemented a policy that requires all PHI to be disposed of securely when it is no longer required, typically by shredding documents. Since the binder was taken for recycling by accident, that did not occur.

Since insurance ID numbers were present in the logs, NYU Langone Health System has offered all affected patients complimentary identity theft protection services and cyber monitoring services through ID Experts for one year.

To prevent similar incidents from occurring in the future, staff have been reeducated on the importance of safeguarding patient information and practice workflow has been updated to improve the protections for sensitive patient information. No reports have been received to suggest any information has been used inappropriately.

Chilton Medical Center Breach Impacts 4,600 Patients

Chilton Medical Center (CMC) in Pequannock, NJ has discovered an employee stole and sold computer hardware containing the PHI of patients. Names, addresses, medical record numbers, dates of birth, details of allergies and medications received at CMC were stored on a hard drive that was removed by an employee and sold on the Internet.

The sale of the hard drive was not authorized by CMC and was in breach of the medical center’s policies. The incident has been reported as a theft and the Morris County Prosecutor’s Office has been notified. According to the breach notice placed on the medical center’s website, the employee no longer works at CMC.

Upon discovery of the incident, an internal investigation was launched, and it became apparent that this was not the first time that computer hardware and assets had been removed by the former employee and sold online. Those additional devices and assets are not believed to have contained any patient information, although the investigation is ongoing.

Patients impacted by the incident had visited CMC for medical services between May 1, 2008 and October 15, 2017. All patients impacted were notified of the security incident on December 15, 2017. CMC said additional processes and controls have been put in place to prevent incidents such as this from occurring in the future.

The incident has been reported to the Department of Health and Human’ Services Office for Civil Rights. The breach report indicates 4,600 patients have been affected.

Author: HIPAA Journal

Share This Post On