DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Over 82,000 patients in NJ and IL notified of theft of unencrypted drive left by a MedAssets employee in a car

Posted on September 19, 2011 by Dissent

On August 8, the Saint Barnabas Health Care System in New Jersey  publicly disclosed a breach involving a Business Associate, MedAssets:

MedAssets, Inc., an independent revenue management and supply chain company that provides certain administrative and business services to the Saint Barnabas Health Care System, informed us on July 1, 2011 that an unencrypted external computer hard drive was stolen on June 24, 2011, from a MedAssets employee’s car, parked in a restaurant parking lot. The hard drive contained personal information used to determine eligibility for governmental benefits for certain patients of our six acute care hospitals.

The data contained patient names and for each such patient, information from one or more of the following categories: Medical Center account number, medical record number, date of birth, Medical Center charges incurred, amounts paid to the Medical Center, information on health insurance, eligibility for applicable governmental benefit programs and/or Medical Center admission and discharge dates. Social security numbers were included for about seven percent of the affected patients. The hard drive did not include any patient addresses, other financial information, or any clinical information regarding the patient’s care.

Patient privacy is of primary importance to the Saint Barnabas Health Care System; therefore, we have followed-up extensively with MedAssets regarding this incident. Although at this time there is no evidence that the information in the hard drive has been improperly accessed or used, MedAssets has provided written confirmation that it is implementing improved privacy safeguards to avoid similar incidents in the future, including eliminating the use of all unencrypted hard drives used for data back-up by its employees and strengthening the enforcement of its existing policy prohibiting their use. We have also directed that MedAssets provide patient privacy retraining to its employees working at our facilities.

Letters are being sent to affected patients. Although no financial information was included other than social security numbers for certain individuals, patients are being advised to be aware of any suspicious activity and to monitor their credit reports and financial accounts. Patients with questions relating to this incident should call our toll-free hotline at 888-414-8023 between 8am and 5pm, Monday through Friday, and when prompted, enter the following 10 digit reference number: 7827072911.

While the theft of the external computer hard drive did not involve a Saint Barnabas Health Care System employee, we are making great efforts to protect our patients’ privacy and apologize for the inconvenience.

Although not mentioned in the notice on their site, as reported to the U.S. Dept. of  Health and Human Services:

  • Clara Maass Medical Center had 8,795 patients affected by the incident;
  • Community Medical Center had 6,950 patients;
  • Kimball Medical Center had 6,785 patients;
  • Monmouth Medical Center 6,443 patients;
  • Newark Beth Israel Medical Center had 15,015 patients; and
  • Saint Barnabas Medical Center had 6,179 patients.

This is not the first time that Saint Barnabas has reported a breach involving a business associate. In September 2010, they disclosed a breach involving KPMG. Also last year, Newark Beth Israel Medical Center disclosed a web exposure breach involving Professional Transcription Company.

Saint Barnabas wasn’t the only hospital system affected by the MedAssets breach, however. Patients at the Cook County Health and Hospitals System in Chicago, Illinois was also affected. In a notice posted on their web site on August 19, they write:

Dear Patient,

On Saturday, June 30, 2011, Cook County Health and Hospitals System (CCHHS) was notified by MedAssets, one of our Business Associates, that a computer hard drive was recently stolen.

CCHHS has learned that the information contained on the hard drive included names, encounter numbers and administrative information. We regret to inform you that your information was on the missing computer hard drive. Your addresses, birth date, and social security number were not on the hard drive.

The hard drive was neither password protected nor encrypted. Encryption is a process that converts the information on a computer into a format that cannot be easily understood by unauthorized people. Because the hard drive was not encrypted, there is a potential for others to see the information that was on the computer hard drive. Although the computer hard drive remains missing, there has been no indication of unauthorized use of the information.

It is important to know, that although not related to this incident, MedAssets is no longer a vendor of CCHHS. However, in response to this incident, MedAssets initiated corrective action; including ensuring no other CCHHS data are at risk.

[…]

In their report to HHS, CCHHS indicated that 32,008 patients were affected.

An unencrypted drive left in a car in a restaurant parking lot.  Heads  should have rolled for that one.  What did this breach cost in terms of investigation and notifications?  Those costs will ultimately drive up the cost of our health care.   I find this type of breach inexcusable in this day and age and wish HHS/OCR would hand out a hefty fine or two to send the word that entities had damned well make compliance with good security practices more of a priority.

Category: Health Data

Post navigation

← Guilty plea in case involving identity info; Electronic Data Systems employee involved
Yanez Dental notifies over 10,000 patients that their Social Security numbers and birthdates were on stolen computers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.