Patients’ PHI Compromised at FDNY and Perry County Medical Center Data Breaches

by

From 2011 to 2018, the New York Fire Department (FDNY) had used its ambulance to bring over 10,000 EMS patients to the hospital. Due to a breach of data security, the protected health information (PHI) of some patients were exposed.

Myles Miller, FDNY’s spokesperson, said that an employee did not observe the appropriate data security policies of the department, so that a loss of data resulted.

The fire department became aware of the missing personal hard drive of the employee on March 4, 2019. The employee stored documents with PHI and patient care reports in the hard drive.

Every time there is a 911 call that needs an ambulance, a patient care report is created. The hard drive stored the data reports of 10,253 patients, including their names, phone numbers, addresses, birth dates, insurance details and health status. The reports also include the Social Security numbers of roughly 3,000 patients.

FDNY is currently sending breach notification to all affected people and is offering complimentary credit monitoring services to those who had their Social Security numbers compromised. The data breach is being treated as if there was an unauthorized access of information.

Though the employee concerned is authorized to access patient information, he was not allowed to save PHI files in any portable, unencrypted hard drive. So, the employee will get the appropriate disciplinary measures. Then, all employees who have medical data access will undergo further training.

Tennessee Health Group Email Account Breach

The email account of an employee of Perry County Medical Center based in Linden, TN, also known as Three Rivers Community Health Group, had been accessed by an authorized person. The incident was discovered on May 28, 2019 and forensic investigators concurred the potential viewing or copying of patient data.

The messages and email attachments in the account contained these types of information: names, names of doctor, dates of service, pharmacy and medication details, insurance group ID numbers and birth dates. Only the first and last names of a number of patients were exposed.

The medical center issued breach notifications to the affected patients on July 26, 2019 and implemented extra security steps to keep similar breaches from happening again.

There were 3,812 patients affected by the breach as per the breach summary posted on the HHS’ Office for Civil Rights breach portal.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]