It seems that 2011 was not exactly a stellar year for the NYC Health & Hospitals Corporation (“HHC”) for data security.
The first HHC incident was the 2011 breach involving the theft of backup tapes with information on 1.7 million patients. HHC did not incur any monetary penalties for that breach.
The second incident, not previously known to this site, also occurred in 2011, but was only added to HHS’s database this past week.
HHS’s log entry for the incident looks like this:
New York City Health & Hospitals Corporation,NY,””,10058,07/01/2011,Unauthorized Access/Disclosure,Paper,11/07/2014,
So why is a breach that impacted over 10,000 patients in 2011 first showing up now in HHS’s database? It turns out that the answer is that HHC only first discovered the breach in August of this year and only first notified patients in October of this year.
A statement posted October 10, 2014 on HHC’s website reads:
The New York City Health and Hospitals Corporation (HHC) this week began to notify 10,058 patients who received services at four now-closed clinics in Brooklyn about the possible disclosure of some of their personal or protected health information (PHI) when records were improperly stored in boxes in an enclosed employee parking garage at the East New York Diagnostic and Treatment Center. A sample notification to the affected patients at (1) the Howard Houses Child Health Center; (2) the Brevoort Houses Child Health Clinic; (3) the Fifth Avenue Child Health Clinic and (4) the Brownsville Child Health Clinic is attached.
There is no evidence to suggest that the files were accessible to the general public or that the protected health information in the files has, in fact, had been improperly accessed by any person or entity. Nonetheless, the records were stored in a manner that HHC staff without authority to access such records could have accessed them.
In an abundance of caution, HHC has taken decisive steps to protect the individuals who are potentially affected, by immediately securing and removing the boxes of records and properly storing them, and timely notifying the required federal oversight agency.
HHC, through third party vendor AllClear ID, Inc. is offering free credit monitoring and identity protection services for one year to those patients whose medical records were stored in the garage. HHC has also set up a toll-free hotline, 1-866-979-2599, to provide additional information. Notifications will also be posted on the HHC website and will be distributed to numerous New York area news outlets.
Personal health information can include name, address, diagnosis, medications, treatment regimen, medical record number, and social security number.
HHC has taken immediate measures to prevent a reoccurrence of this incident by increasing the number of security and privacy walk-throughs it conducts at its facilities and by ensuring that the HHC workforce is reminded of the importance of managing PHI in a safe and secure manner and of reporting any incidents where that is not the case.
So that was their second incident in 2011. But it turns out there was third incident. Follow me to the next post.