DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

NY: Metropolitan Hospital Center notifies almost 4,000 patients of breach

Posted on June 19, 2015 by Dissent

The NYC Health and Hospitals Corporation is providing some powerful reminders of the importance of auditing and monitoring employee emails.

Last month, I noted that they had detected breaches involving patients at Bellevue Hospital and Jacobi Medical Center.  On June 1, HHC notified HHS of yet another email-related breach, this one involving Metropolitan Hospital Center. From their notification:

FOR IMMEDIATE RELEASE
June 1, 2015
Notification of Possible Personal Health Information Disclosure

The New York City Health and Hospitals Corporation (HHC) this week began to notify 3,957 HHC patients who received services at Metropolitan Hospital Center (Metropolitan) about the disclosure of some of their personal and/or protected health information (PHI) when an e-mail file that contained PHI (including some sensitive patient information) was improperly sent by a Metropolitan employee to his personal email account. A sample notification to the affected patients is attached explaining in greater detail the occurrence.

  • Letter in English
  • Letter in Spanish (Español)

As indicated in the notice to the patients, there is no evidence to suggest that the subject file was received or viewed by anyone other than the single employee recipient, who was authorized to receive the PHI but was not authorized to transmit it to his personal email account. There is no evidence to suggest that the PHI contained in the e-mail file was misused or disclosed in any manner.  The employee responsible for sending the e-mail has been terminated from employment with Metropolitan.

Consistent with federal regulatory requirements, HHC notified the federal oversight agency and initiated action to mitigate the risk presented by the unauthorized communication.

Based on actions taken by HHC, the email files in question have since been deleted from all known unauthorized sites to which they were sent and there is no basis to believe that they were forwarded to any other site before deletion.

Nonetheless, HHC has taken decisive steps to protect the individuals who are potentially affected, and through third-party vendor Kroll is offering free credit monitoring and identity protection services for one year to those patients whose medical records may have been improperly disclosed. HHC has also set up a toll-free hotline to provide additional information. Notifications will also be posted on the HHC website and will be distributed to news outlets.

HHC has taken immediate measures to prevent an incident of this nature from recurring in the future.  One of these measures include the automatic blocking of communications containing PHI and other personal information from being sent from HHC to any unauthorized site/entity outside of the HHC security network unless for a legitimate business purpose.

After three e-mail breaches in a short timeframe, I’d say such measures were definitely in order.

 

No related posts.

Category: Breach IncidentsHealth DataInsiderU.S.

Post navigation

← Laptops stolen from National Seating and Mobility contained some patient information
Blue Shield of California notifies some members of exposure breach following software update →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.