DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Missing hard drive from WTC Medical Monitoring Program at Mt. Sinai contained PHI

Posted on October 27, 2010 by Dissent

A missing – and most likely stolen –  hard drive from the World Trade Center Medical Monitoring and Treatment Program at Mt. Sinai Hospital contained e-mails with some some protected health information. The drive was taken from a computer in the Mental Health Center.

According to a notification letter (Page 1 Page 2) sent to those affected:

The information contained on the missing hard drive did not include your Social Security number. However, it may have included potentially identifying information including name, and in some instances phone number and/or address, as well as limited mental health information, possibly including assessment and treatment information.

To date, the incident does not appear on HHS’s breach reporting site.

Although I could not immediately find a notice on the program’s site at this time, their communications office kindly pointed me to this press release of September 17:

Mount Sinai School of Medicine announced today that a hard drive which may contain confidential patient information has been found to be missing from a personal computer in the offices of the World Trade Center Medical Monitoring and Treatment Program. An investigation has been launched, and there is no reason at this time to believe that any data on the missing hard drive have been accessed or used improperly.

Information about as many as 1,500 patients may be contained on the missing hard drive, including identifying information and, in some cases, protected health information. The hard drive was password protected, but a person with sophisticated computer abilities might be able to bypass the password protection.

To ensure there is no recurrence, all computers in the Program have been physically secured and the hard drives have been encrypted. Mount Sinai has also reported this matter to potentially affected patients and to the appropriate state and/or federal agencies as required by applicable law. These patients have been advised to check their credit reports and to take appropriate precautions against possible identity theft.

One of those notified about the breach told PHIprivacy.net that he is a recovering 9/11 civilian volunteer:

All I ask from anyone is the respect, dignity and care that I’ve earned. Nothing more. Unfortunately, the lax attitude by the Mt Sinai administrators of medical records security is yet another indicator of the lack of sober policy and management in the Mt Sinai program. I am further disturbed by the thought that my confidential medical records may be in the hands of unscrupulous individuals somewhere on the streets of New York. Clearly, I joined the program to heal. This latest debacle has created more wounds, and is far from healing.

The insult to injury is that the only consequences to this breach will be felt by the patients only. Certainly not the administrators. One has to ask where is the oversight? Where is the outrage by elected officials?

As noted above, the data were not encrypted but have since been.   While that assurance may sound appropriate, this is not the first incident of this kind involving this program. So why didn’t the program encrypt all PHI or devices after the data breach in 2005 when a laptop with unencrypted information was stolen?  Or why didn’t they deploy an equally effective security system? Both incidents reportedly involved hardware stolen from program offices.

I contacted the program by e-mail to ask for an explanation of why the hard drive contained unencrypted data at rest  in light of the previous theft in 2005.  Although they pointed me to their press release for the other questions I had, they did not answer my question as to why after one theft in 2005, the drives were not already encrypted prior to this incident. If I do get a response from them on this, I will update this blog entry.

Related posts:

  • Former Mount Sinai Medical Center employee convicted in patient ID theft for tax refund fraud scheme
  • Small-Scale Violations of Medical Privacy Often Cause the Most Harm
  • Updating: CaptureRx incident impacted more than 2.4 million. List of Entities.
  • FL: Former Mount Sinai Medical Center Temporary Employee Sentenced In Identity Theft Tax Refund Scheme Involving The Theft Of Patient Information
Category: Health Data

Post navigation

← TX: HISD investigating how its computers were hacked
Two Bulgarian nationals charged in alleged ATM skimming scheme →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.