Search Results : NYU Langone

Dec 192017
 

NYU Langone Health notified patients this week that a binder containing a log with information related to presurgical insurance authorizations from NYU Langone Health Pediatric Surgery Associates was mistakenly recycled by NYU Langone’s cleaning company on October 17, 2017. Patient social security numbers were not included and therefore are not at risk, and there is no indication that the information has been misused in any way.

Approximately 2,000 patients were affected, and information for those patients included name, date of birth, date of service, diagnosis code, current procedural terminology code, insurer name and identification number, and potentially other short related comments, such as any insurance approval or denial information and inpatient or outpatient status.

Although there is no indication that this information has been misused, because the documents were not disposed of in accordance with NYU Langone’s standards, such as shredding, and insurance identification numbers were included, as a precautionary measure NYU Langone has arranged for these patients to receive identity theft protection with cyber monitoring from ID Experts at no cost for one year.

NYU Langone is committed to protecting the privacy and security of its patients’ health information and has taken steps to ensure that a similar incident will not occur. Staff was reeducated on the importance of safeguarding patient information and the practice updated their workflow to further protect such information. As required by law, NYU Langone reported this incident to the Department of Health and Human Services Office for Civil Rights.

Contact Us

A dedicated phone line and call center team has been set up to answer questions of those concerned that they may have been impacted. The center can be reached toll free Monday through Friday, from 8:00AM to 8:00PM eastern standard time, at 888-684-4952.

SOURCE:  NYU Langone

Update: This was reported to HHS on December 15 as impacting 2,138 patients.

Aug 162014
 

In July, I noted that NYU Langone Medical Center had notified 8,400 patients of a stolen computer containing their protected health information.  At the time, I wasn’t aware that they had also reported a breach in June involving a stolen laptop containing protected health information. Today I stumbled across a copy of their notice on their web site:

NEW YORK, June 20, 2014 – NYU Langone Medical Center notified patients this week that an unencrypted personal laptop containing patient personal and/or protected health information (PHI) was stolen on Friday, April 25, 2014, from the car of an employee traveling in California. Upon discovering the theft, the employee promptly filed a police report with the California police department and notified the Medical Center of the incident.

Information included on the hard drive potentially includes patient name, age, zip code, medical record number, and medication information for over 500 patients. NYU Langone is currently investigating this incident, and at this time there is no indication that the information on the stolen laptop has been misused or disclosed in any way that would adversely affect its patients. Additionally, patient financial information and social security numbers were not included and therefore are not at risk. However, as a precautionary measure identity theft protection by AllClear ID is being offered for 12 months to all affected patients at no cost to them.

The use and storage of PHI on unencrypted personal devices is strictly prohibited and against Medical Center policy. NYU Langone is committed to protecting the privacy and security of all patient information through training and technology, and in response to this incident, has taken the appropriate steps to prevent a similar incident from occurring including:

  • An assessment and update of our information security policies relating to accessing Medical Center information on personal devices,
  • Individualized and Medical Center-wide employee training on policies and procedures specific to this incident,
  • Medical Center-wide communications on the proper protection of patient information including secure ways to access Medical Center e-mail on personal devices,
  • Further consideration of corrective action measures.

A dedicated phone line and call center team has been set up to answer questions of those concerned that they may have been impacted. The center can be reached Monday through Saturday, from 9 a.m. to 9 p.m. eastern standard time at (877) 615-3765 (toll free).

The breach was added to HHS’s public breach tool on July 14 as “NYU Hospitals Center.” Their submission to HHS indicates that 872 patients were involved.

Jul 242012
 

NEW YORK, July 23, 2012 – NYU Langone Medical Center notified patients this week that a desktop computer containing personal health information was discovered stolen from the Faculty Group Practice office of John G. Golfinos, MD, chair of the Department of Neurosurgery on May 23, 2012. Although the computer was not encrypted, it was password protected and additional software would be needed to retrieve any data files, minimizing the risk that the information would actually be accessed.

In addition to data from Dr. Golfinos’ office, the stolen computer also contained patient data from the practices of Erik C. Parker, MD, associate professor of neurosurgery as well as the former practice of neurosurgeon Patrick J. Kelly, MD. The data on the computer was duplicated by the medical center prior to the theft, so no clinical information was permanently lost.

The computer contained data of about 8,400 patients, of which approximately 5,000 contained social security numbers. NYU Langone Medical Center is offering identity theft protection to all patients whose social security numbers may have been compromised. Other data on the computer includes name, address, date of birth, telephone number, insurance information, and clinical information related to visits to these physicians. There is no indication at this time that the information on the stolen computer has been accessed, misused, or disclosed in any way.

This incident was promptly reported to both NYU Langone Medical Center Security and the New York City Police Department and will be reported to the Office of Civil Rights, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Though security cameras did capture video of the individual suspected of the theft and was shared with police, the person responsible for the theft has not yet been identified, and the computer has not been recovered.

NYU Langone Medical Center is committed to protecting the privacy and security of our patients’ medical information and since this incident has taken affirmative steps and additional security measures, including moving protected health information from desktop computers to secure network drives and retraining staff regarding proper safeguarding of private patient information.

NYU Langone Medical Center’s Office of Compliance has set up a dedicated telephone line to answer patient’s questions regarding this issue. Our dedicated team can be reached at (877) 615-3775.

Source: NYU Langone Medical Center.

For other breaches reported by the center, see previous coverage on this blog.

Sep 192011
 

Another potential breach at NYU Langone Medical Center, it seems.  From their notice, posted August 22:

NYU Langone Medical Center’s Hospital for Joint Diseases (HJD) notified patients that documents containing limited personal information were mistakenly discarded, compacted and buried in a landfill outside of New York State. The documents consisted of paper tracking records of tissue used in orthopaedic surgeries performed at HJD in 2009 and 2010 involving approximately 2,600 patients, and did not contain financial information or social security numbers. There is no indication of adverse use of patient information.

The discarded documents contained patient name, date of birth, gender, name of the hospital, date of the surgery, and clinical information related to the surgery.  In some documents related to surgeries performed in 2010, patient name and date of birth were not included.

All patients for whom the medical center has a current address have been notified of this issue by first class mail, as required by the federal Health Information Technology for Economic and Clinical Health Act (HITECH Act).

NYU Langone Medical Center is committed to protecting the privacy and security of its patients’ medical information. Since this incident the medical center has taken affirmative steps and put in place additional security measures to ensure that document losses such as this do not reoccur.

The NYU Langone Medical Center’s Office of Compliance has set up a dedicated telephone line to address patients’ questions and concerns regarding this issue at 1-877-698-2333, Monday-Friday between the hours of 9:00 a.m. and 5:00 p.m.

According to HHS’s breach tool, the incident occurred on June 23.  HHS’s entry indicates 1,600 patients, however, not 2,600 as mentioned above, so I’m not sure which is the more current/accurate number.

Mar 302011
 

NYU Medical Center has posted the following breach notification on its web site, dated March 29, 2011:

NYU Langone Medical Center notified patients recently that a desktop computer was discovered stolen from an NYU School of Medicine Faculty Group Practice physician’s office on January 27, 2011. The computer contained correspondence with patients regarding their office visits but contained no financial information. A suspect has been arrested, although the computer has not been recovered.

The theft occurred on the fifth floor of Bellevue Hospital Center in an office used for research and not patient care. The computer contained correspondence regarding the office visits of 670 patients that occurred between April 4, 1999 and September 30, 2008.

NYU Langone was able to recreate the correspondence from the stolen desktop using encrypted network back-up files. All patients with current addresses have been notified of this issue by first class mail.

The majority of correspondence on the stolen computer (653 letters) included patient name, diagnosis, the results of diagnostic tests, and clinical information gathered during the patient’s visit to the physician’s office. An additional 26 letters may have included information such as medical record numbers, home address, date of birth, patient occupation, and, in only two instances, social security numbers.

At this time there is no indication that patient information stored on the stolen computer has been adversely used or disclosed. NYU Langone Medical Center is committed to protecting the privacy and security of our patients’ medical information, and since this incident, we have taken affirmative steps and additional security measures to ensure that thefts such as this do not occur again.

The NYU Langone Medical Center’s Office of Compliance has set up a dedicated telephone line to answer patient’s questions regarding this issue at 1-877-698-2333, Monday-Friday between the hours of 9:00 a.m. and 5:00 p.m.

Now that is a pretty terrific disclosure notice. Kudos to NYU for providing a clear description of the types of data involved and who might be affected. I’m just not sure I understand whether the computer was stolen on January 27 or just first discovered stolen on January 27..?

Updated May 4: According to NYU’s report to HHS, the theft occurred on January 27.