PHI of 6,600 Patients Has Been Exposed


NYU Langone Health System Data Breach

A binder that contained a log of presurgical insurance authorizations from NYU Langone Health System was mistakenly recycled by a cleaning company in October 2017. The binder contained the information of about 2,000 patients’ names, dates of birth, dates of service, diagnosis codes, procedural terminology code, insurance ID numbers and insurer names. Some records may have brief notes of insurance approval, denial and inpatient/outpatient status. The records did not contain any Social Security numbers or any financial information.

The HIPAA requires the secure disposal of all PHI when it is no longer needed, which is typically done by shredding the documents. NYU Langone Health System implemented this policy but the binder was not shredded because it was taken for recycling by mistake. The records included insurance ID numbers, so NYU Langone Health System offered the affected patients free identity theft protection services and cyber monitoring services for one year through ID Experts.

Aside from notifying the patients, NYU Langone Health System also retrained the staff on safeguarding patient information and updated the workflow to improve security of sensitive patient information. No report of information misuse has been received to date.


Chilton Medical Center Data Breach

An employee of Chilton Medical Center (CMC) in Pequannock, NJ stole a computer hardware that stored patient PHI. The patient information found in the hard drive included names, dates of birth, addresses, medical record numbers, details of allergies, and medications received. The employee took the patient information and sold them on the internet.

CMC did not authorize the sale of the information, which was a breach of CMC’s policies. The theft was reported to the Morris County Prosecutor’s Office. A breach notice posted on CMC’s website stated that the employee no longer works for CMC.

When the computer hardware theft was discovered, an internal investigation was discovered. It was found out that the incident was not the first time. The employee stole other hardware and assets from CMC before and sold them online, although the other devices stolen did not contain patient information.

About 4,600 patients who went to CMC for medical services from May 1, 2008 to October 15, 2017 are affected by the breach. They received notifications of the incident on December 15, 2017. CMC also implemented other controls to prevent similar incidents from happening. CMC also notified the Department of Health and Human Services’ Office for Civil Rights regarding the breach.