NY: Bellevue Hospital notifying 3,300 patients of breach

Jacobi Medical Center wasn’t the only hospital run by the Health & Hospitals Corporation that reported a breach on April 28.  Bellevue Hospital Center also reported one:

The incident in question occurred on January 15, 2015 and was discovered on February 27, 2015 when, in the course of HHC’s monitoring of outgoing emails, we identified an email attachment that a Bellevue employee improperly sent to her relative’s e-mail account at the relative’s place of employment.

Here’s their notice:

The New York City Health and Hospitals Corporation (HHC), which operates Bellevue Hospital Center began this week to notify about 3,300 Bellevue patients about the possible disclosure of some of their protected health information (PHI) when a Bellevue employee improperly sent a spreadsheet containing PHI to an unauthorized recipient.

The unauthorized disclosure was discovered by HHC’s information governance and security program that, among other things, monitors and detects all email communications that contain PHI and other confidential information that are sent from HHC’s information systems without proper authorization. A sample notification to the affected patients is attached. Notifications will also be posted on the HHC website and will be distributed to numerous New York area news outlets. The information in the spreadsheet included the names, medical record numbers, e-mail addresses, insurance carrier information, and limited sensitive health information of the affected patients.

Based on HHC’s investigation into the unauthorized disclosure, the spreadsheet has been deleted from all known unauthorized sources to which it was sent and there is no basis to believe that it was forwarded to any other site before deletion. There is no evidence to suggest that the spreadsheet was received or viewed by anyone other than the single unauthorized recipient, and there is no evidence to suggest that the PHI contained in the spreadsheet was misused or further disclosed in any manner.

Nonetheless, in an abundance of caution, HHC has taken decisive steps to protect the individuals who are potentially affected by offering, through a third-party vendor, free credit monitoring services for one year to those patients whose medical records may have been improperly disclosed. Affected patients who have questions about this incident, including how to sign up for free credit monitoring services, may contact Bellevue Privacy Officer Christopher Roberson at (212) 562-4316.

HHC has taken immediate measures to prevent the recurrence of an incident of this nature by automatically blocking of email communications containing PHI and other confidential information from being sent from HHC’s information systems to any site or entity outside of the HHC security network unless for a legitimate business purpose.

About the author: Dissent