• New York's Lincoln Medical and Mental Health Center ("the hospital") experienced a breach of personal information.

Relevance to Business Activities:

• security - physical and technical safeguards considerations:
  • seven CDs full of unencrypted data were FedExed by a hospital contractor and then lost in transit:
    • the CDs were created and sent by the hospital's billing processor, Siemens Medical Solutions USA, but never arrived at their intended destination:
      • FedEx has suggested that the CDs likely became separated from their shipping envelope at one of its facilities, were swept up and destroyed.
    • the CD was password-protected but unencrypted;
    • they included sensitive health and personal information including:
      • Social Security numbers;
      • addresses;
      • dates of birth;
      • health plan numbers;
      • driver's license numbers; and
      • descriptions of medical procedures.
  • Siemens is no longer FedExing CDs to the hospital.

• breach response considerations:
  • the hospital:
    • is notifying patients that their personal information may have been compromised:
      • the breach affects 130,495 patients.
    • notified the:
      • U.S. Department of Health and Human Services; and
      • New York City Health and Hospitals Corporation.
    • posted a notice on its website, which included:
      • information about how to obtain a free credit report and avoid identity theft.

Source Documents:

http://www.businessweek.com/idg/2010-06-29/new-york-hospital-loses-data-on-130-000-via-fedex.html

http://www.nyc.gov/html/hhc/lincoln/html/news/public_notice_20100604.shtml

http://www.nyc.gov/html/hhc/lincoln/downloads/pdf/lincoln-security-notice-2010-06-eng.pdf