The following statement was issued by Health and Hospital Corporation yesterday concerning a breach reported on this blog earlier today:
The New York City Health and Hospitals Corporation (HHC) this week began to notify nearly 1.7 million patients and hospital staff, as well as the employees of vendors, contractors, and others – who were all served by and/or provided services for or at Jacobi Medical Center, North Central Bronx Hospital and their two affiliated health centers during the past 20 years – about a recent reported theft of electronic files that contained their personal or protected health information (PHI). Notification letters to the groups affected are attached.
The data in the stolen files is not readily accessible without highly specialized technical expertise and data-mining tools, and there is no evidence to indicate that the information has been accessed and misused. Nonetheless, HHC has taken decisive steps to protect the individuals who are potentially affected. HHC is offering free credit monitoring and fraud resolution services for one year and has opened a toll-free phone information hotline at 1-877-412-7148. Those affected may also call 311 for information. Special customer care centers will open at both hospitals on February 14, 2011.
“We value and protect privacy and confidentiality and deeply regret any inconvenience and concern this may create for our patients, staff and others affected,” said HHC President Alan D. Aviles. “The loss of this data occurred through the negligence of a contracted firm that specializes in the secure transport and storage of sensitive data, but HHC is taking responsibility for providing information and credit monitoring services to any affected individual who may be worried about the possibility of identity theft.”
The files were reported stolen on December 23, 2010, from a vehicle operated by GRM Information Management Services. The theft occurred while the GRM van was left unattended and unlocked while the driver made other pickups. GRM reported the incident to the police and dismissed the driver of the vehicle. To date, the files have not been recovered.
HHC has taken immediate measures to prevent a similar situation from reoccurring; has terminated the contract with the vendor responsible for the loss; and has filed a lawsuit against the vendor to hold it responsible for covering all of the costs associated with notifying all affected individuals, and to pay for other damages related to the loss of the data.
In addition to patient PHI, the stolen files contained personal information collected from staff, vendors and contractors by the hospitals’ occupational health services. They also included personal information of the hospitals’ staff, vendors, and contractors that is electronically filed in order for these individuals to conduct their business at or provide services for the hospitals. PHI and personal information can include names, addresses, Social Security numbers, patients’ medical histories and the occupational/employee health information of staff, vendors, contractors, and others.
Outreach and Notification Process
HHC has reported this incident to all appropriate state and federal oversight, regulatory, and consumer protection agencies in the most expedient time possible and within the 60 day federal notice requirement. Agencies notified include the New York State Attorney General, the New York State Office of Cyber Security, the New York State Consumer Protection Board, the U.S. Department of Health and Human Services, and three nationwide consumer reporting agencies.
Letters in 17 languages have begun to be mailed to patients and affected individuals this week advising them of the theft and informing them of protective services that have been made available. HHC has offered one year of free credit protection services, including credit alerts and fraud resolution services. HHC has also set up a toll-free hotline, 1-877-412-7148, where patients and other affected individuals can talk to trained credit protection specialists who can also answer questions about the incident. In addition, special customer care centers will open on Feb. 14 at Jacobi and NCB hospitals to assist patients and help direct them to the telephone hotline for enrollment in the fraud protection programs. All notifications are expected to be completed within the next two weeks, in compliance with state and federal regulations. Notifications in all languages are also posted on the HHC website, www.nyc.gov/hhc, and the hospitals’ websites, and have been broadly distributed to numerous New York area news outlets.
Patients, staff, and others who have received care after 1991 at Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center and Gunhill Health Center, which together comprise the North Bronx Healthcare Network of HHC, may call 311 or the toll-free service line at 1-877-412-7148 to take advantage of free credit protection services or if they have questions about the incident.
Sample notification letters to patients, parents of minor patients, next of kin for deceased patients, and employees/contractors/vendors are on their web site. The notification to employees says:
On December 23, 2010, computer backup tapes from the North Bronx containing electronic data were stolen from a truck operated by our vendor, GRM Information Management Services (“GRM”), while the files were being transported to a secure storage location. The incident was reported by GRM to both North Bronx officials and the police the same day and an investigation was launched immediately. To date these tapes have not been recovered. Unfortunately, these backup tapes contain personal information of individuals who were granted access to the QuadraMed system. This information may include the following: name; social security number; Drug Enforcement Agency registration number; professional license number; and National Provider Identifier, if such information was provided to us. Our review indicates that your personal information was included in these backup tapes.
Carousel image of 125 Worth Street, NYC by Jim Henderson, who kindly released it into the public domain.