A New York State Psychiatric Institute data breach that occurred between April 28 and May 4, 2016 has recently been announced. On June 16, 2016, New York State Psychiatric Institute, which is owned and operated by the New York State Office of Mental Health, became aware that unauthorized individuals had gained access to parts of the Institute’s computer systems.
The protected health information of research participants was potentially accessed and copied by those individuals. The data stored on the compromised part of the network include the names of research participants along with dates of birth, addresses, email addresses, contact telephone numbers, school, county, coded health information, Social Security numbers, and Driver’s License numbers. The exposed health information was obtained via questionnaires and interviews with research participants.
The information could potentially be used to steal identities or commit fraud. In order to protect breach victims from experiencing financial losses from the misuse of their PHI, all are being provided with a year of Identity Theft protection services without charge via ID Experts.
All affected individuals are being notified of the New York State Psychiatric Institute data breach by mail and a substitute breach notice has now been published on the Institute’s website. A helpline has also been set up to enable individuals to find out more about the breach. An external cybersecurity firm was brought in to conduct a forensic investigation. Based on the results of that investigation, additional security measures will be employed to prevent future breaches of this nature from occurring.
The Department of Health and Human Services’ Office for Civil Rights has been notified of the New York State Psychiatric Institute data breach in accordance with Health Insurance Portability and Accountability Act (HIPAA) Rules. OMH is currently working closely with law enforcement to identify the individuals responsible for the breach.
It is currently unclear how many individuals have been affected as the incident has yet to be published on the Office for Civil Rights breach portal.