NYU Langone notified 1,123 patients of privacy issue due to mailing vendor error

NYU Langone Health notified patients the week of January 4, 2022, about a potential privacy incident resulting in misdirected, limited patient information. The incident occurred on or about November 12, 2021, when a communication was sent via U.S. mail to inform patients of a planned relocation of an NYU Langone Health oncology surgeon originally based in Lake Success, New York. Upon investigation, it was discovered that the third-party vendor NYU Langone used to complete this mailing reformatted the address list, which resulted in a misalignment of patient names and addresses on the envelope. As a result, individual patient communications were sent to incorrect addresses. Importantly, the communication itself was a generic “Dear Patient” letter and did not include any patient information pertaining to the intended recipient. Additionally, no other personal or health information, such as treatment information or social security number, was included. NYU Langone is currently mailing letters to alert those affected by this incident and has established a dedicated toll-free call center at 800-939-4170, to answer any questions patients may have with representatives available Monday through Friday from 9:00AM to 9:00PM Eastern Standard Time. Following this incident, NYU Langone requested and received assurances from the vendor that they have reviewed their practices and will implement any necessary changes to protect from similar misdirected mailings of patient information in the future. NYU Langone will also continue to review its own internal processes and procedures to help prevent such incident as this from happening again. Source: NYU Langone Health The incident was reported to HHS on January 6 as involving 1,123 patients.

NYU Langone Health Notifies Patients of Improperly Disposed Binder Containing Patient Information

NYU Langone Health notified patients this week that a binder containing a log with information related to presurgical insurance authorizations from NYU Langone Health Pediatric Surgery Associates was mistakenly recycled by NYU Langone’s cleaning company on October 17, 2017. Patient social security numbers were not included and therefore are not at risk, and there is no indication that the information has been misused in any way. Approximately 2,000 patients were affected, and information for those patients included name, date of birth, date of service, diagnosis code, current procedural terminology code, insurer name and identification number, and potentially other short related comments, such as any insurance approval or denial information and inpatient or outpatient status. Although there is no indication that this information has been misused, because the documents were not disposed of in accordance with NYU Langone’s standards, such as shredding, and insurance identification numbers were included, as a precautionary measure NYU Langone has arranged for these patients to receive identity theft protection with cyber monitoring from ID Experts at no cost for one year. NYU Langone is committed to protecting the privacy and security of its patients’ health information and has taken steps to ensure that a similar incident will not occur. Staff was reeducated on the importance of safeguarding patient information and the practice updated their workflow to further protect such information. As required by law, NYU Langone reported this incident to the Department of Health and Human Services Office for Civil Rights. Contact Us A dedicated phone line and call center team has been set up to answer questions of those concerned that they may have been impacted. The center can be reached toll free Monday through Friday, from 8:00AM to 8:00PM eastern standard time, at 888-684-4952. SOURCE:  NYU Langone Update: This was reported to HHS on December 15 as impacting 2,138 patients.

NYU Langone Medical Center Notified Patients of Stolen Unencrypted Laptop Containing Patient Information

In July, I noted that NYU Langone Medical Center had notified 8,400 patients of a stolen computer containing their protected health information.  At the time, I wasn’t aware that they had also reported a breach in June involving a stolen laptop containing protected health information. Today I stumbled across a copy of their notice on their web site: NEW YORK, June 20, 2014 – NYU Langone Medical Center notified patients this week that an unencrypted personal laptop containing patient personal and/or protected health information (PHI) was stolen on Friday, April 25, 2014, from the car of an employee traveling in California. Upon discovering the theft, the employee promptly filed a police report with the California police department and notified the Medical Center of the incident. Information included on the hard drive potentially includes patient name, age, zip code, medical record number, and medication information for over 500 patients. NYU Langone is currently investigating this incident, and at this time there is no indication that the information on the stolen laptop has been misused or disclosed in any way that would adversely affect its patients. Additionally, patient financial information and social security numbers were not included and therefore are not at risk. However, as a precautionary measure identity theft protection by AllClear ID is being offered for 12 months to all affected patients at no cost to them. The use and storage of PHI on unencrypted personal devices is strictly prohibited and against Medical Center policy. NYU Langone is committed to protecting the privacy and security of all patient information through training and technology, and in response to this incident, has taken the appropriate steps to prevent a similar incident from occurring including: An assessment and update of our information security policies relating to accessing Medical Center information on personal devices, Individualized and Medical Center-wide employee training on policies and procedures specific to this incident, Medical Center-wide communications on the proper protection of patient information including secure ways to access Medical Center e-mail on personal devices, Further consideration of corrective action measures. A dedicated phone line and call center team has been set up to answer questions of those concerned that they may have been impacted. The center can be reached Monday through Saturday, from 9 a.m. to 9 p.m. eastern standard time at (877) 615-3765 (toll free). The breach was added to HHS’s public breach tool on July 14 as “NYU Hospitals Center.” Their submission to HHS indicates that 872 patients were involved.

NYU Langone Medical Center notifies 8,400 neurosurgery patients that stolen computer may contain patient health info

NEW YORK, July 23, 2012 – NYU Langone Medical Center notified patients this week that a desktop computer containing personal health information was discovered stolen from the Faculty Group Practice office of John G. Golfinos, MD, chair of the Department of Neurosurgery on May 23, 2012. Although the computer was not encrypted, it was password protected and additional software would be needed to retrieve any data files, minimizing the risk that the information would actually be accessed. In addition to data from Dr. Golfinos’ office, the stolen computer also contained patient data from the practices of Erik C. Parker, MD, associate professor of neurosurgery as well as the former practice of neurosurgeon Patrick J. Kelly, MD. The data on the computer was duplicated by the medical center prior to the theft, so no clinical information was permanently lost. The computer contained data of about 8,400 patients, of which approximately 5,000 contained social security numbers. NYU Langone Medical Center is offering identity theft protection to all patients whose social security numbers may have been compromised. Other data on the computer includes name, address, date of birth, telephone number, insurance information, and clinical information related to visits to these physicians. There is no indication at this time that the information on the stolen computer has been accessed, misused, or disclosed in any way. This incident was promptly reported to both NYU Langone Medical Center Security and the New York City Police Department and will be reported to the Office of Civil Rights, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Though security cameras did capture video of the individual suspected of the theft and was shared with police, the person responsible for the theft has not yet been identified, and the computer has not been recovered. NYU Langone Medical Center is committed to protecting the privacy and security of our patients’ medical information and since this incident has taken affirmative steps and additional security measures, including moving protected health information from desktop computers to secure network drives and retraining staff regarding proper safeguarding of private patient information. NYU Langone Medical Center’s Office of Compliance has set up a dedicated telephone line to answer patient’s questions regarding this issue. Our dedicated team can be reached at (877) 615-3775. Source: NYU Langone Medical Center. For other breaches reported by the center, see previous coverage on this blog.

NYU Langone Medical Center's Hospital for Joint Diseases Notifies Patients Of Potential Data Breach

Another potential breach at NYU Langone Medical Center, it seems.  From their notice, posted August 22: NYU Langone Medical Center’s Hospital for Joint Diseases (HJD) notified patients that documents containing limited personal information were mistakenly discarded, compacted and buried in a landfill outside of New York State. The documents consisted of paper tracking records of tissue used in orthopaedic surgeries performed at HJD in 2009 and 2010 involving approximately 2,600 patients, and did not contain financial information or social security numbers. There is no indication of adverse use of patient information. The discarded documents contained patient name, date of birth, gender, name of the hospital, date of the surgery, and clinical information related to the surgery.  In some documents related to surgeries performed in 2010, patient name and date of birth were not included. All patients for whom the medical center has a current address have been notified of this issue by first class mail, as required by the federal Health Information Technology for Economic and Clinical Health Act (HITECH Act). NYU Langone Medical Center is committed to protecting the privacy and security of its patients’ medical information. Since this incident the medical center has taken affirmative steps and put in place additional security measures to ensure that document losses such as this do not reoccur. The NYU Langone Medical Center’s Office of Compliance has set up a dedicated telephone line to address patients’ questions and concerns regarding this issue at 1-877-698-2333, Monday-Friday between the hours of 9:00 a.m. and 5:00 p.m. According to HHS’s breach tool, the incident occurred on June 23.  HHS’s entry indicates 1,600 patients, however, not 2,600 as mentioned above, so I’m not sure which is the more current/accurate number.

NYU Langone Medical Center Notifies Patients That Stolen Computer Contained Clinical Information

NYU Medical Center has posted the following breach notification on its web site, dated March 29, 2011: NYU Langone Medical Center notified patients recently that a desktop computer was discovered stolen from an NYU School of Medicine Faculty Group Practice physician’s office on January 27, 2011. The computer contained correspondence with patients regarding their office visits but contained no financial information. A suspect has been arrested, although the computer has not been recovered. The theft occurred on the fifth floor of Bellevue Hospital Center in an office used for research and not patient care. The computer contained correspondence regarding the office visits of 670 patients that occurred between April 4, 1999 and September 30, 2008. NYU Langone was able to recreate the correspondence from the stolen desktop using encrypted network back-up files. All patients with current addresses have been notified of this issue by first class mail. The majority of correspondence on the stolen computer (653 letters) included patient name, diagnosis, the results of diagnostic tests, and clinical information gathered during the patient’s visit to the physician’s office. An additional 26 letters may have included information such as medical record numbers, home address, date of birth, patient occupation, and, in only two instances, social security numbers. At this time there is no indication that patient information stored on the stolen computer has been adversely used or disclosed. NYU Langone Medical Center is committed to protecting the privacy and security of our patients’ medical information, and since this incident, we have taken affirmative steps and additional security measures to ensure that thefts such as this do not occur again. The NYU Langone Medical Center’s Office of Compliance has set up a dedicated telephone line to answer patient’s questions regarding this issue at 1-877-698-2333, Monday-Friday between the hours of 9:00 a.m. and 5:00 p.m. Now that is a pretty terrific disclosure notice. Kudos to NYU for providing a clear description of the types of data involved and who might be affected. I’m just not sure I understand whether the computer was stolen on January 27 or just first discovered stolen on January 27..? Updated May 4: According to NYU’s report to HHS, the theft occurred on January 27.

NYU Urology Associates notifies patients whose information was sent to a patient in March.

An incident recently added to HHS’s public breach tool involves NYU Urology Associates. According to the log entry, 835 patients were affected by a breach that occurred on February 19, 2014. I was able to locate a statement on NYU’s website about the incident: NYU LANGONE MEDICAL CENTER NOTIFIES PATIENTS OF DATA BREACH October 10, 2014 – NYU Langone Medical Center notified patients today that a CD containing protected health information (PHI) was unintentionally sent to an NYU Langone patient in March 2014. The Medical Center was made aware of this incident on August 14, 2014, and has since been in contact with the recipient to secure the CD. At this time there is no indication that the information on the CD has been misused or further disclosed in any way. Additionally, patient financial information and social security numbers were not included and therefore are not at risk. This incident occurred when the Medical Center’s processes to provide an individual his requested patient records were not followed, causing the PHI of others to mistakenly be copied onto a CD. Because the CD contained PHI of over 500 patients, NYU Langone notified the U.S. Department of Health and Human Services Office for Civil Rights. The information included patient name, age, chart number, provider name, and clinical information related to a visit at Urology Associates in the early 2000s. Individuals affected can protect themselves by always reviewing insurance claims forms and by being alert to anyone attempting to sell them medical products. A dedicated AllClear ID team phone line and call center team has been set up to answer questions of those concerned that they may have been impacted. The center can be reached at 866-979-2597 (toll free) Monday – Saturday 9 a.m. to 9 p.m. EST. NYU Langone takes the protection of health information very seriously and is taking steps to prevent a similar occurrence. Department staff is being retrained regarding the importance of safeguarding health information and a Medical Center-wide communication on the proper ways to protect sensitive information will be distributed.

December was one of the busiest months for health data breach disclosures

While you are eagerly awaiting the release of Protenus’s annual review of 2017 health data breaches, I thought I’d mention that December closed the year out with a bang with 52 possible breaches being disclosed. Only June, 2017 (with 53 reports) exceeded December. Of the 52 entries, 20 were hacking incidents and 17 were insider incidents.  Ransomware was specifically mentioned in nine of the incidents. Not all of these incidents were reported on DataBreaches.net, so you may seem some unfamiliar listings below. If you don’t see an incident below that you think should have been included, keep in mind that sometimes this site reports or include an incident weeks or months before other outlets or resources reports it. For some incidents, I was unable to obtain additional details about their submissions to HHS. In alphabetical order, with links to some coverage if you want to know more: Absolute Dental Hygiene, LLC Arrohealth Blue Cross Blue Shield of Massachusetts Bronson Healthcare Group  (statement had been emailed to DataBreaches.net: phishing incident in June impacted 8,256 patients) Center for Health Care Services Central Iowa Hospital Corporation d/b/a Blank Children’s Hospital (submitted to HHS) Charleston Area Medical Center Children’s Hospital Los Angeles Chilton Medical Center Colorado Center for Reproductive Medicine  Minneapolis Colorado Mental Health Institute Columbus Surgery Center Compassion Care Hospice Las Vegas, LLC (submitted to HHS) Dameron Hospital (Report missing – does this involve patient data?) Dignity Health Foundation (submitted to HHS) Emory Healthcare (University of Arizona College of Medicine) Episource Eye Physicians Franciscan Physician Network of Illinois Golden Optometric (Sheldon M. Golden O.D., Optometric Corporation) Golden Rule Insurance Company (submitted to HHS) Henry Ford Health System Kaiser Foundation Kaiser Foundation (different incident, listed on HHS) Longs Peak Family Practice Mad River Twp. Fire and EMS MEDHOST (disputed, question: dns redirect incident) Memphis Pathology Laboratory d/b/a American Esoteric Laboratory (submitted to HHS) Midland Memorial Hospital MidMichigan Medical Center-Alpena Miracle-Ear Molina Healthcare (submitted to HHS) Mount Carmel Health System National Capital Poison Center NYU Langone Health Pediatric Surgery Associates Pharmacy Innovations (submitted to HHS) SAY San Diego (Social Advocates for Youth, San Diego) Shohei Ohtani case Sinai Health System Specialty Physicians of Illinois, LLC SSM Health St. Charles Health System Stanford University Graduate School of Business Stanislaus County Behavioral Health and Recovery Services UNC Health Care (University of North Carolina) University of South Florida, USF Health Care (submitted to HHS) Unknown Provider(s) Vermont Health Connect Wager Evans Dental (BEE Dental) Washington Health System Greene Washington Hospital Women’s Health Consultants

Tiger impersonator’s ex ‘stole medical records to fake pregnancy’

Rebecca Rosenberg reports: First, Minochy Delanois, 29, pulled her Tiger Woods-impersonator boyfriend through the rough — telling cops he’d harassed her and had even threatened to send nude pics of her to her bosses at NYU Langone Medical Center after she dumped him. But now, a little more than a year later, the charges against Canh Oxelson, the head of college counseling at Horace Mann School, have been dismissed and Delanois is the one in cuffs. […] Oxelson, a Harvard grad, had made good money impersonating the disgraced golf great for more than a decade, earning as much as $3,000 an appearance. Investigators soon discovered Delanois had allegedly stolen medical records of patients in a desperate bid to keep Oxelson in her clutches. Read more on The New York Post. Given all the media coverage last year about Oxelson allegedly threatening revenge porn, and all the reputation harm he experienced if you look up his name in a Google search, it’s important to get these latest developments out in the news so that people see the charges against him were dismissed and he may have been the victim of his accuser.

Update: Jersey City doctor's office where medical records were stolen is empty

There’s an update to a case involving the theft of 40,000 patients’ records from a Jersey City physician’s shed. Sudip Bhattacharya reports: The Jersey City doctor’s office where thousands of medical records were recently stolen was completely empty this afternoon and appears to be in the midst of a renovation. The first floor of Dr. Nisar A. Quraishi’s office on Chopin Court, where cops say some 40,000 patients’ medical records were stolen from a storage shed, is a gutted, empty space with exposed beams and no carpet. Read more on NJ.com. Because NJ.com’s two reports both noted the doctor’s affiliation with NYU Langone, PHIprivacy.net reached out to them to inquire whether the stolen records included their patients. In response, a spokesperson sent this statement: The patient records involved were from Dr. Quraishi’s private practice that closed several years ago and therefore do not include any treatments provided by him since his employment with NYU Langone as of January 2014. The medical records of patients who were treated at NYU Langone by Dr. Quraishi are not part of the breach in question. If, as NYU’s statement suggests, the physician’s private practice closed “several years ago,” and his Jersey City office location is empty, that raises yet even more questions about the doctor’s physical security and storage of patient records. Off-site secure storage costs money, yes, but I wonder what this breach will cost Dr. Quraishi. I suspect he’s really going to regret not using another storage strategy.