For NYC Health & Hospitals Corporation, 2011 wasn't a great year for data security, Part 2
In the process of investigating a previously-unknown 2011 breach involving NYC Health & Hospitals Corporation (HHC), I discovered that they had a third breach in 2011 that was also only recently discovered and disclosed. This third incident is not in HHS’s public database and won’t be, because it involves less than 500 patients.
A statement dated August 27, 2014 on HHC’s website reads:
Data Breach Notification to Patients at Coler Rehabilitation and Nursing Care Center and Henry J. Carter Specialty Hospital & Nursing Facility
The New York City Health and Hospitals Corporation (HHC) has started to notify 102 patients from Coler Rehabilitation and Nursing Care Center (“Coler”), formerly the Coler-Goldwater Specialty Hospital and Nursing Facility, and Henry J. Carter Specialty Hospital & Nursing Facility, about a recent incident involving the unauthorized access of some of their protected health information (“PHI”). The PHI included the names, addresses, and social security numbers of the affected patients.
The incident in question occurred between approximately January 1, 2008 and April 30, 2013, during which period a Coler employee inappropriately accessed and used patient PHI, and submitted a fraudulent tax returns in the names of the affected patients. The employee subsequently received a tax refund based on the fraudulent tax return and unlawfully deposited the proceeds derived from the same into accounts under his control. The person responsible for the inappropriate use of Coler patient PHI was indicted and is being prosecuted by the United States Attorney’s Office for the Southern District of New York (U.S. Attorney).
HHC values and protects individuals’ privacy and confidentiality and deeply regrets any inconvenience and concern this may create for patients and others affected. HHC takes responsibility and has arranged for the availability of the services of a third-party vendor to provide credit monitoring and identity restoration services for a period of one year at no cost to affected individuals. Please contact HHC’s Office of Corporate Compliance (OCC) at (646) 458-7799 for information on how to obtain these services.
If you are one of the individuals who may have been affected, please see the notification letter for more information about the incident and the services available to you.
So to recap: in 2011, HHC had a backup tape with 1.7 million patients’ info stolen from a vendor’s van, they left boxes with over 10,000 patients’ PHI stored improperly where they could have been accessed, and a rogue employee was stealing patient information for a tax refund fraud scheme – a scheme that went on for over 5 years without HHC detecting it.
HHC is a huge entity and there are many opportunities for things to go wrong with data security. Were there other breaches in 2011 that we don’t know about? Possibly (probably?). Hopefully, they have run an audit in 2014 and are doing a better job of securing patient information.