New York State Psychiatric Institute Reports 22K-Record PHI Breach
New York State Psychiatric Institute has reported that unauthorized individuals have gained access to parts of the institute’s computer system which was used to store the protected health information of 21,880 research participants.
The intrusion was detected on June 17, 2016, although the subsequent investigation revealed that the system was accessed by unauthorized individuals between April 28 and May 4, 2016.
New York State Psychiatric Institute has not been able to confirm whether sensitive data were actually viewed or copied by those individuals, although the possibility that protected health information was accessed could not be ruled out.
The compromised system contained a range of data on research participants, including names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, county, school, and coded health information from questionnaires and interviews.
Access to the system has now been blocked and the New York State Office of Mental Health run psychiatric facility has brought in a leading external cybersecurity firm to conduct a full forensic analysis of its systems. Steps are also being taken to improve security to better protect data and prevent future security breaches from occurring.
The Department of Health and Human Services’ Office for Civil Rights was notified of the breach on August 15, 2016 and affected research participants have been sent breach notification letters alerting them to the exposure of their PHI. All individuals affected by the breach have been offered complimentary identity theft protection services with ID experts for a period of 12 months.
There have been 62 cases of hacking reported to the Office for Civil Rights so far in 2016, the largest of which was the hacking of 21st Century Oncology, which resulted in the exposure of 2.2 million records.
In 2016 alone, hackers have viewed or copied the protected health information of 10,857,944 individuals. That is four times as many healthcare records as all other types of healthcare data breaches combined. The remaining 125 healthcare data breaches (unauthorized access/disclosure, device loss, device theft, improper disposal) resulted in the exposure of 2,714,789 healthcare records.