In July, I noted that NYU Langone Medical Center had notified 8,400 patients of a stolen computer containing their protected health information. At the time, I wasn’t aware that they had also reported a breach in June involving a stolen laptop containing protected health information. Today I stumbled across a copy of their notice on their web site:
NEW YORK, June 20, 2014 – NYU Langone Medical Center notified patients this week that an unencrypted personal laptop containing patient personal and/or protected health information (PHI) was stolen on Friday, April 25, 2014, from the car of an employee traveling in California. Upon discovering the theft, the employee promptly filed a police report with the California police department and notified the Medical Center of the incident.
Information included on the hard drive potentially includes patient name, age, zip code, medical record number, and medication information for over 500 patients. NYU Langone is currently investigating this incident, and at this time there is no indication that the information on the stolen laptop has been misused or disclosed in any way that would adversely affect its patients. Additionally, patient financial information and social security numbers were not included and therefore are not at risk. However, as a precautionary measure identity theft protection by AllClear ID is being offered for 12 months to all affected patients at no cost to them.
The use and storage of PHI on unencrypted personal devices is strictly prohibited and against Medical Center policy. NYU Langone is committed to protecting the privacy and security of all patient information through training and technology, and in response to this incident, has taken the appropriate steps to prevent a similar incident from occurring including:
- An assessment and update of our information security policies relating to accessing Medical Center information on personal devices,
- Individualized and Medical Center-wide employee training on policies and procedures specific to this incident,
- Medical Center-wide communications on the proper protection of patient information including secure ways to access Medical Center e-mail on personal devices,
- Further consideration of corrective action measures.
A dedicated phone line and call center team has been set up to answer questions of those concerned that they may have been impacted. The center can be reached Monday through Saturday, from 9 a.m. to 9 p.m. eastern standard time at (877) 615-3765 (toll free).
The breach was added to HHS’s public breach tool on July 14 as “NYU Hospitals Center.” Their submission to HHS indicates that 872 patients were involved.