PHI of Almost 7,000 Patients Exposed in Two Separate Breaches

A binder holding a log of presurgical insurance authorizations was accidentally recycled by a cleaning company contracted by NYU Langone Health System in October. The binder was holding records referring to around 2,000 patients.

The binder had saved information including names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID credentials. In some instances, short notes may have been present, along with insurance approvals/denials and inpatient/outpatient status. No Social Security numbers were in the paperwork, and neither any financial data or information.

As required by HIPAA regulations, NYU Langone Health System had adapted a policy that requires all PHI to be destroyed securely when it is no longer required, usually by shredding documents. Since the binder was taken for recycling in error, that did not occur.

Since insurance ID numbers were not in the logs, NYU Langone Health System has offered all affected patients free identity theft protection services and cyber monitoring services through ID Experts for the next year.

To stop similar incidents from being experienced in the future, staff have been reeducated on the need to safeguarding patient information and practice workflow has been updated to enhance the protections for sensitive patient information. No reports have been submitted to suggest any information has been used for ill means.

NJ Chilton Medical Center Breach Exposes 4,600 Patients

Pequannock, NJ Chilton Medical Center (CMC) has discovered that a member of staff stole and sold computer hardware containing the PHI of patients. Names, addresses, medical record numbers, birth dates, allergy histories and medications received at CMC were stored on a hard drive that was stolen by an employee and sold on the Internet.

Selling the hard drive had not been authorized by CMC and was in violation of the medical center’s policies. The incident has been reported to the police as a theft and the Morris County Prosecutor’s Office has been alerted. According to the breach notice posted on the medical center’s official website, the employee no longer works at CMC.

After the incident was identified, an internal investigation was initiated, and it became apparent that this was not the first instance where computer hardware and assets had been stolen by the former employee and sold. Those additional devices and assets are not thought have stored any patient information, although the investigation is still open.

Patients impacted by the breach incident had visited CMC for treatment between May 1, 2008 and October 15, 2017. All patients put at risk by were notified of the security incident on December 15, 2017. CMC said extra processes and controls have been put in place to cut out incidents such as this going forward.

The Department of Health and Human’ Services Office for Civil Rights (OCR) has been made aware of the incident where, reports suggest, 4,600 patients have been affected.

Author: Maria Perez