Candic Ruud reports:
The North Shore-Long Island Jewish Health System is warning about 18,000 patients that their personal, health and insurance information is at risk due to a potential data breach.
Five laptops were stolen last September from the offices of Global Care Delivery, a Texas-based firm that contracted with North Shore-LIJ and other providers to process and collect payments owed by insurers to hospitals, officials said Friday.
Four of the laptops may have files containing information on about 18,000 North Shore-LIJ patients — including names, dates of birth, internal account numbers, diagnosis and procedure codes, and insurance identification numbers, according to the health system.
Read more on Newsday.
If the business associate discovered this breach on September 2, notification of the covered entity in May is way past the 60 days specified in HITECH. I wonder if HHS will fine them for this serious delay.
Update: Here’s the notification letter template to NSUH patients. The notification indicates that the types of PHI involved included:
- name
- date of birth
- insurance identification number
- Social Security number
- limited clinical information
Their notification to the NH Attorney General’s Office indicates that the “limited clinical information” refers to diagnostic and treatment codes.
Neither letter explains the 8-month delay between the theft of the password-protected (but not encrypted) laptops and their notification to NSUH-LIJ.