The Jersey City Medical Center is notifying patients whose unencrypted protected health information was on a CD lost by United Parcel Service in June. The CD contained data the center was required to provide to Medicaid, and included patients’ names, social security numbers, and for some patients, date of birth, medical record number, gender, and information on visits to the Medical Center in 2011: admission and discharge dates, inpatient or outpatient status, number of days care was received, dollar amount of Medical Center charges incurred for care, name of health insurance payor(s), amounts paid by patient or insurers, and/or general type of claim and/or revenue code.
The notification letter, signed by Shani Newell, Privacy Officer, notes “The CD did not include your address, any other personal contact information or specific medical information. ”
Those affected were offered credit monitoring services through First Watch Technologies.
The medical center has since changed its policies to no longer send unencrypted CDs with patient information and has also done some retraining of personnel to minimize future risks.