A missing – and most likely stolen – hard drive from the World Trade Center Medical Monitoring and Treatment Program at Mt. Sinai Hospital contained e-mails with some some protected health information. The drive was taken from a computer in the Mental Health Center.
According to a notification letter (Page 1 Page 2) sent to those affected:
The information contained on the missing hard drive did not include your Social Security number. However, it may have included potentially identifying information including name, and in some instances phone number and/or address, as well as limited mental health information, possibly including assessment and treatment information.
To date, the incident does not appear on HHS’s breach reporting site.
Although I could not immediately find a notice on the program’s site at this time, their communications office kindly pointed me to this press release of September 17:
Mount Sinai School of Medicine announced today that a hard drive which may contain confidential patient information has been found to be missing from a personal computer in the offices of the World Trade Center Medical Monitoring and Treatment Program. An investigation has been launched, and there is no reason at this time to believe that any data on the missing hard drive have been accessed or used improperly.
Information about as many as 1,500 patients may be contained on the missing hard drive, including identifying information and, in some cases, protected health information. The hard drive was password protected, but a person with sophisticated computer abilities might be able to bypass the password protection.
To ensure there is no recurrence, all computers in the Program have been physically secured and the hard drives have been encrypted. Mount Sinai has also reported this matter to potentially affected patients and to the appropriate state and/or federal agencies as required by applicable law. These patients have been advised to check their credit reports and to take appropriate precautions against possible identity theft.
One of those notified about the breach told PHIprivacy.net that he is a recovering 9/11 civilian volunteer:
All I ask from anyone is the respect, dignity and care that I’ve earned. Nothing more. Unfortunately, the lax attitude by the Mt Sinai administrators of medical records security is yet another indicator of the lack of sober policy and management in the Mt Sinai program. I am further disturbed by the thought that my confidential medical records may be in the hands of unscrupulous individuals somewhere on the streets of New York. Clearly, I joined the program to heal. This latest debacle has created more wounds, and is far from healing.
The insult to injury is that the only consequences to this breach will be felt by the patients only. Certainly not the administrators. One has to ask where is the oversight? Where is the outrage by elected officials?
As noted above, the data were not encrypted but have since been. While that assurance may sound appropriate, this is not the first incident of this kind involving this program. So why didn’t the program encrypt all PHI or devices after the data breach in 2005 when a laptop with unencrypted information was stolen? Or why didn’t they deploy an equally effective security system? Both incidents reportedly involved hardware stolen from program offices.
I contacted the program by e-mail to ask for an explanation of why the hard drive contained unencrypted data at rest in light of the previous theft in 2005. Although they pointed me to their press release for the other questions I had, they did not answer my question as to why after one theft in 2005, the drives were not already encrypted prior to this incident. If I do get a response from them on this, I will update this blog entry.