The New York Times provides some additional details on the breach involving NewYork-Presbyterian Hospital/Weill Cornell Medical Center:
The theft – which occurred over the past several years and included patients’ names, phone numbers and Social Security numbers – was discovered during a federal investigation, and the hospital was notified in January, the spokeswoman, Myrna Manners, said. An internal audit by the hospital confirmed the theft, she said.
The hospital does not believe that any medical information was stolen, Ms. Manners said, adding that there is no evidence that the stolen information has been used.
She declined to identify the employee who the hospital believes stole the data.
“We obviously deeply regret that this has happened,” she said, adding that the hospital, at East 68th Street and York Avenue, was trying to contact all patients involved.
Investigators were looking into the possibility that the theft could be part of a larger criminal scheme, Ms. Manners said.
The United States attorney’s office for the Southern District of New York was investigating the theft, a spokeswoman said, along with the United States Postal Inspection Service and the United States Secret Service. She declined to give details of the investigation.
Comment: if the hospital was notified in January, why are patients first being notified now? Did the federal investigators ask them to delay notification, or did it just take the hospital that long to figure out whom to notify? And how would they know that the stolen information hasn’t been used? Have they run checks on all 40,000 patients to determine if they’ve been the victims of ID theft?