HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

More than 10,000 FDNY EMS Patients Notified of PHI Exposure

10,292 EMS patients who were taken to hospital by a New York Fire Department (FDNY) ambulance between 2011 and 2018 have had some of their protected health information exposed.

According to FDNY spokesperson Myles Miller, there was “a loss of data caused by one employee’s failure to follow the department’s data security policies.”

The fire department learned on March 4, 2019 that an employee’s personal hard drive was missing. The hard drive had been used by the employee to store files containing patient information such as patient care reports.

A patient care report is created when a 911 call is received that requires an ambulance to respond. The reports contained information on 10,253 patients such as name, address, telephone number, date of birth, insurance details, health condition, and for approximately 3,000 patients, their Social Security number.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

All affected individuals are now being notified of the breach and individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. “The FDNY is treating the incident as if the information may have been seen by an unauthorized person,” wrote the FDNY in its breach notification letter.

The employee in question was authorized to access patient information but was not authorized to use a personal, unencrypted hard drive to store files containing protected health information. The employee will be subjected to disciplinary measures and all employees required to handle medical information will be retrained.

Tennessee Health Group Email Account Breach Impacts 3,812 Patients

Linden, TN-based Perry County Medical Center, dba Three Rivers Community Health Group, has discovered an unauthorized individual has gained access to an employee’s email account.

The email account breach was discovered on May 28, 2019 and the subsequent forensic investigation confirmed patient information may have been viewed or copied.

The types of information detailed in emails and email attachments included names, dates of birth, dates of service, physician’s name, pharmacy and prescription information, and insurance group ID numbers. Some patients only had their first and last name exposed.

Patients affected by the breach were notified on July 26, 2019. Steps have now been taken to prevent similar account breaches in the future.

The HHS’ Office for Civil Rights breach portal indicates 3,812 patients were affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.