NY: Jacobi Medical Center notifies 90,060 patients after employee emailed PHI to her personal account and new email address at another employer
Jacobi Medical Center, part of the New York City Health & Hospitals Corporation, issued this statement on April 28:
The New York City Health and Hospitals Corporation (HHC) this week began to notify about 90,000 HHC patients about the possible disclosure of some of their protected health information (PHI) that may have occurred when a former employee at HHC Jacobi Medical Center in the Bronx improperly accessed and transmitted files containing PHI to her personal email account and her email account at her new employer, which is a New York City agency. The unauthorized disclosure was discovered by HHC’s information governance and security program that, among other things, monitors and detects all email communications that contain PHI and other confidential information that are sent from HHC’s information systems without proper authorization. A sample notification to the affected patients is attached.
There is no evidence to suggest that the subject files were received or viewed by anyone other than the former employee, and there is no evidence to suggest that the PHI contained in these files was misused or further disclosed in any manner. Based on actions taken by HHC, the PHI has been deleted from all known unauthorized sites and sources to which it was sent and there is no basis to believe that it was forwarded to any other site before it was deleted.
Nonetheless, HHC has taken decisive steps to protect the individuals who are potentially affected, and through third-party vendor ID Experts, Inc. is offering free credit monitoring and identity protection services for one year to those patients whose medical records may have been improperly disclosed. HHC has also set up a toll-free hotline, 1-866-487-6522, to provide additional information. Notifications will also be posted on the HHC website and will be distributed to numerous New York area news outlets.
PHI in the emails included patient names, addresses, dates of birth, telephone numbers, medical record numbers, treatment dates and types of services, limited sensitive health information, and, for some patients, health insurance identification numbers which may have included their social security numbers.
HHC has taken immediate measures to prevent the recurrence of this incident, including the automatic blocking of communications containing PHI and other confidential information from being sent from HHC’s information systems to any site or entity outside of the HHC security network other than for legitimate business purposes.
The sample notification letter explains:
By way of background, HHC has implemented an information governance and security program that, among other things, monitors and detects all email communications that contain PHI and other confidential information that are sent outside of HHC’s information systems without proper authorization. The incident in question, which occurred on February 19, 2015, was discovered on February 27, 2015 when, in the course of HHC’s monitoring of outgoing emails, we identified a number of emails containing files of PHI that were accessed by a former Jacobi employee after her employment ended on February 13, 2015. The former employee sent these files to her personal email account. She also sent these files to the email account of her new employer, which is a New York City agency that works closely with HHC. According to the former employee, she accessed and sent the subject files to these email accounts in the event that in the future she had to respond to questions about her past work at JMC.